2 Million BNB Tokens Minted in BNB Chain Bridge Exploit

BNB Chain has given an official account of the events of Thursday’s massive $580 million-plus hack after resuming operations Friday, apologizing to the community and promising to implement changes to prevent such attacks in the future.

“The exploit was through a sophisticated forging of the low level proof into one common library,” wrote the company in the response.

Translated into English, this means that the hacker(s) forged messages that convinced the bridge to send them BNB. BNB Chain’s note also included a number of actions the company will take next, including:

• Deciding whether to freeze the hacked funds.
• Deciding whether to use Auto-Burn to cover the remaining hacked funds.
• Rewarding anyone who finds a significant bug in the future with $1 million.
• Rewarding 10% of recovered funds to any party who catches hackers.
• Continuing to expand the number of community validators to further decentralize BNB Chain.
• Introducing a new “on-chain governance mechanism” on BNB Chain to “fight and defend future possible attacks.”

What Exactly Happened?

To recap, the hacker(s) exploited the BSC Token Hub cross-chain bridge – the bridge between the BNB Beacon Chain/BEP2 and BNBChain/BEP20 chains – essentially minting 2 million new BNB (value of about $580 million) that they sent to themselves in two separate transfers.

Security firms and researchers have posted several analyses of the attack on Twitter starting Thursday not long after the attack, with details continuing to be filled in as the community dissects on-chain events and analyzes the exploiter’s moves.

Security firm Ancilia, Inc. was among the first parties to notice the hack, which they were listed as having reported on BscScan shortly after the attack began.

Anonymous Twitter user and blockchain researcher “samczsun” was among the first to detail the event, which they chronicled shortly after the hack unfolded.

The first step in the attack seems to have been when the person(s) now known as the “BNB bridge exploiter” registered as a relayer for the BSC Token Hub bridge so they could position themselves for the exploit, explained samczun on Twitter shortly after the hack, along with their detailed analysis.

“In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages,” wrote samczsun. “Fortunately, the attacker here only forged two messages, but the damage could have been far worse.”

Once the hacker had the money, they began moving it off-chain in what some researchers have called sloppily executed and strangely slow. They managed to move about $90 million-$110 million off, according to different accounts, using it to buy stablecoins such as USDT and USDC via Venus Protocol and borrow ETH on Fantom, among other moves. Partway into the hacker’s attempt to move the funds, Tether froze about $10 million worth of USDT the hacker had acquired with the BNB.

Security firm PeckShield Inc. has analyzed the event and determined that closer to $90 million was moved off-chain, including about 58% to Ethereum, 33% to Fantom, and 4.5% to Arbitrum. How much the hacker has successfully made away with is still unclear, but BNB Chain noted in their response that a full and transparent “postmortem” is in progress and results will be made publicly available in hopes of helping other projects address vulnerabilities in their own bridges.