BNB
by BSCN
October 7, 2022
BNB Chain resumed operations and apologized to the community while promising changes to prevent future hacks, following the bridge exploit.
BNB Chain has given an official account of the events of Thursday’s massive $580 million-plus hack after resuming operations Friday, apologizing to the community and promising to implement changes to prevent such attacks in the future.
“The exploit was through a sophisticated forging of the low level proof into one common library,” wrote the company in the response.
Translated into English, this means that the hacker(s) forged messages that convinced the bridge to send them BNB. BNB Chain’s note also included a number of actions the company will take next, including:
To recap, the hacker(s) exploited the BSC Token Hub cross-chain bridge – the bridge between the BNB Beacon Chain/BEP2 and BNBChain/BEP20 chains – essentially minting 2 million new BNB (value of about $580 million) that they sent to themselves in two separate transfers.
Security firms and researchers have posted several analyses of the attack on Twitter starting Thursday not long after the attack, with details continuing to be filled in as the community dissects on-chain events and analyzes the exploiter’s moves.
Security firm Ancilia, Inc. was among the first parties to notice the hack, which they were listed as having reported on BscScan shortly after the attack began.
Anonymous Twitter user and blockchain researcher “samczsun” was among the first to detail the event, which they chronicled shortly after the hack unfolded.
The first step in the attack seems to have been when the person(s) now known as the “BNB bridge exploiter” registered as a relayer for the BSC Token Hub bridge so they could position themselves for the exploit, explained samczun on Twitter shortly after the hack, along with their detailed analysis.
“In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages,” wrote samczsun. “Fortunately, the attacker here only forged two messages, but the damage could have been far worse.”
Once the hacker had the money, they began moving it off-chain in what some researchers have called sloppily executed and strangely slow. They managed to move about $90 million-$110 million off, according to different accounts, using it to buy stablecoins such as USDT and USDC via Venus Protocol and borrow ETH on Fantom, among other moves. Partway into the hacker’s attempt to move the funds, Tether froze about $10 million worth of USDT the hacker had acquired with the BNB.
Security firm PeckShield Inc. has analyzed the event and determined that closer to $90 million was moved off-chain, including about 58% to Ethereum, 33% to Fantom, and 4.5% to Arbitrum. How much the hacker has successfully made away with is still unclear, but BNB Chain noted in their response that a full and transparent “postmortem” is in progress and results will be made publicly available in hopes of helping other projects address vulnerabilities in their own bridges.
Latest News
12h : 21m ago
Thailand Explores Bitcoin Pilot Project in Phuket to Boost Tourism
14h : 21m ago
FLOKI DAO Proposes Launch of Europe-Based ETP on SIX Swiss Exchange
December 25, 2024
Binance's 63rd Launchpool Project: What is Bio Protocol (BIO)?
December 25, 2024
Crypto Adoption in South Korea Reaches Over 30% of the Population: Report
December 24, 2024
Binance Labs’ New Investment: What is Usual?
December 24, 2024
Crypto.com Launches U.S. Institutional Cryptocurrency Custody Service
December 23, 2024
Shiba Inu Ecosystem and Turbo Memecoin Adopt Cross-Chain Token Standard with Chainlink CCIP
December 23, 2024
VanEck Predicts Strategic Bitcoin Reserve Could Offset $42T of U.S. Debt by 2049