protos.com
On Thursday, Binance’s BSC Token Hub was hacked for two million $BNB, its native cryptocurrency, worth approximately $586 million at the time of the incident.
However, the attacker only managed to bridge a fraction of the loot to other chains before validators halted the network, blocking access to the $430 million remaining in the hacker’s $BNB chain address. The chain has since been reactivated.
Data from the DeBank portfolio tracker shows the hacker had access to approximately $110 million in various cryptocurrencies across Ethereum, Avalanche, and Fantom networks, as well as L2s Arbitrum and Optimism. However, of this, an estimated $6.5 million in $USDT has been frozen by Tether, the stablecoin’s issuer.
The attacked Token Hub is essentially a bridge allowing $BNB to be sent to their smart contract blockchain, $BNB Chain. The network, formerly known as Binance Smart Chain, is Binance’s DeFi ecosystem and the 3rd largest DeFi blockchain by Total Value Locked (TVL).
Since the $BNB Chain was suspended, the ~$430M on it cannot be transferred any further.
— SlowMist (@SlowMist_Team) October 7, 2022
In total, over $110M was moved off the $BNB Chain
Frozen: ~6,5M $USDT
Supplied to lending pools: ~$37.5M
Borrowed: ~$16.5M
Still have access to: $83.3M pic.twitter.com/zxieESGblL
In order to pull off the heist, the hacker sent falsified transactions which convinced the bridge’s code they had previously deposited two million $BNB to the bridge, and that they were eligible to withdraw it again. The two withdrawals of one million $BNB each were made just over two hours apart, minting the funds directly into the attacker’s address.
An official statement by the $BNB chain team explained that “the exploit was through a sophisticated forging of the low level proof into one common library,” and that a detailed post-mortem report is to follow. However, anonymous blockchain security researcher samczsun shared a more detailed explanation of the hack on Twitter, pointing out that the attacker could have taken even more if they had wanted to.
Five hours ago, an attacker stole 2 million $BNB (~$566M USD) from the Binance Bridge. During that time, I've been working closely with multiple parties to triage and resolve this issue. Here's how it all went down. pic.twitter.com/E0885Dc3lW
— samczsun (@samczsun) October 6, 2022
Read more: Explained: Why hackers keep exploiting cross-blockchain bridges
This is the latest incident in a crypto crime-spree targeting blockchain bridges this year. So far, victims have included Nomad ($190 million) in August, Harmony ($100 million) in June, Ronin (over $600 million) in March, and Wormhole (more than $300 million) in February.
Blockchain bridges are complicated elements of infrastructure, but crucial if funds are to be sent between chains. By design, each blockchain is a closed system, so sending funds from one to another relies either on trusting funds to a centralized operator, such as a crypto exchange, or relying on experimental code.
For a deeper look into why bridges are a favorite for hackers, see our explainer.
For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.