Oct 7, 2022 at 06:59Changpeng Zhao, the founder of cryptocurrency exchange Binance, officially announced on Twitter this morning that the company’s associated blockchain has been suspended. The reason is a hacker attack on the BSC Token Hub, a cross-network bridge for moving BEP-2 and BEP-20 format tokens, which led to the emission of an additional BNB service token.
A set of the most important facts
State of play at this point in time:
- The exchange claims that all customer funds are safe; only the additional BNB emission is in issue (due to a discovered vulnerability). The amount of stolen tokens is about 25% of the amount that Binance burns quarterly.
- The Binance exchange has often been accused of centralized control over the owners of all 21 BSC nodes and today’s incident proved this fact — the company stopped the network almost instantly.
- However, the attackers managed to withdraw about $110 million (out of potentially available $500–700 million). In a collaborative effort, about $7 million of the $110 million has already been frozen. Tether helped by adding the hackers’ new USDT wallet address to the blacklist.
Technical details of the hack
Technical details for those who want to understand how it happened:
The brand new newsletter with insights, market analysis and daily opportunities.
Let’s grow together!
- The attackers used an exploit that “resulted in additional BNB” (a double spending effect).
- The hackers funded the attack from addresses belonging to the ChangeNOW service; after executing the exploit, they injected 900,000 BNB into the Venus Protocol’s lending protocol to open $147 million worth of overcollateralized positions.
The Binance ecosystem runs on two parallel blockchains: the Binance Smart Chain (BSC) and the Binance Chain:
- BEP-2 tokens are Binance Chain cryptocurrency, previously created to run the DEX platform on PoW consensus, and do not support smart contracts. BSC with BEP-20 tokens is an advanced version with the PoS algorithm but few validators.
- The tokens of both the old and new networks were attacked.
Current Status
BNB Chain has published an update in which hacker accounts will be blocked, and transactions between BNB Beacon Chain and BNB Chain will be halted.
The network is up and running again, and the bridge vulnerability has been fixed. Venus Protocol and Binance report that everything is working normally again.
The BNB coin fell about 4% in today’s trading session on this negative news.
Update from our expert:
Due to the complexity of the contracts, the speed at which this space moves as a whole and the immeasurable amount of variables you need to take into account. It’s almost impossible to be completely bug free. It doesn’t matter how many web3 programmers there are, something as complex as this will always have weaknesses that can be exploited in some way, either for example due to a small code error, badly set parameters or just brute force.
Even the biggest chains and protocols who have the best people and test everything regularly and thoroughly will still have some flaws and weaknesses. I’m sure there are large, big brain and well funded teams worldwide who actively search for these kind of exploits cause the potential payday can be massive. It will happen time and time again and i’m sure we’ll see more of it in the future.
9
