A Massive Exploit on BNB Chain
Service on the BNB Chain ground to a halt on October 6th after an exploit on its cross-chain bridge led to attackers syphoning $100 million in cryptocurrency. As of October 7th, 06:34 UTC,the network has resumed operations, according to a tweet by BNB Chain.
BNB Smart Chain (BSC) is running ok from 20+ mins ago.
The validators are confirming their status and the community infrastructure are upgrading as well.
— BNB Chain (@BNBCHAIN) October 7, 2022
On Thursday, October 6th, BNB Chain announced a temporary pause of services due to “irregular activity” on the blockchain, before clarifying that the disruption was due to “possible exploits”. The BNB Chain team later reassured users that all systems were contained, and that the potential vulnerability had been investigated.
Following the incident, blockchain security firms SlowMist and PeckShield reported the occurrance of an exploit on the chain to the tune of approximately $500 million. According to Peckshield, the attackers siphoned 2 million BNB tokens, the network’s native token, which was valued at nearly $570 million by exchange rates at the time of the incident.
Hi, @BNBCHAIN Apparently, two huge reward claims
with each claiming 1M BNB and in total ~$586M rewards are claimed from its token hub. (https://t.co/mMg8o0u7fj) https://t.co/FxRHDdvuPg pic.twitter.com/GSrLSSyRNR— PeckShield Inc. (@peckshield) October 6, 2022
Initially, BNB Chain disclosed that funds valued between $70 – 80 million had been stolen from the BSC network. Approximately $7 million was frozen in the wake of the attack.
Initial estimates for funds taken off BSC are between $70M – $80M.
However, thanks to the community and our internal and external security partners, an estimated $7M has already been frozen
1/2
— BNB Chain (@BNBCHAIN) October 6, 2022
How Much Was the Actual Exploit?
According to blockchain security firm SlowMist, the attackers stole 2 million $BNB in two transactions, depositing nearly $260M on the Venus protocol, a decentralized protocol used for lending on the BNB Chain. The hacker then laundered the funds on censorship-resistant blockchains by spreading the funds across several liquidity pools, decentralized exchanges, and lending protocols.
Since the $BNB Chain was suspended, the ~$430M on it cannot be transferred any further.
In total, over $110M was moved off the BNB Chain
Frozen: ~6,5M $USDT
Supplied to lending pools: ~$37.5M
Borrowed: ~$16.5M
Still have access to: $83.3M pic.twitter.com/zxieESGblL— SlowMist (@SlowMist_Team) October 7, 2022
Samczsun, a researcher at Paradigm, delved into the details of the recent exploit in a Twitter thread. It appears that the hacker somehow managed to convince the Binance Bridge to send out 1 million BNB tokens. After the initial attempt was confirmed, the hacker then used the same method to send an additional 1 million BNB tokens to an address they controlled.
“In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages,” Samczsun explained in the Twitter thread. “Fortunately, the attacker here only forged two messages, but the damage could have been far worse.”
All activity on the BNB Chain was swiftly frozen, thereby preventing the attacker from moving the remaining assets off-chain. However, approximately $100 million worth of tokens were moved to Ethereum, Avalanche, Fantom, and other chains, while BSC retained the remaining $430 million.
BNB Chain later confirmed in a Reddit post that between $100 – $110 million had been removed from the network.
$BNB’s price currently stands at $285.24, down from a 24h peak of $296.03, which marks a drop in value of 3.02%.
On the Flipside
- BNB Chain developers affirmed through a Reddit post that all user funds were secure. The Venus Protocol confirmed the same for Venus protocol user funds.
Why You Should Care
Hackers have stolen more than $2 billion in crypto from cross-chain bridges this year alone, according to Chainalysis. The recent attack raises further concerns about cross-chain bridge security.