The BNB Chain team halted the network amid the breach of the BSC Token Hub bridge. Hackers stole digital assets worth more than $544 million, but only $100 million had been withdrawn.
This reddit post contains a bit more detail.https://t.co/ENjBRvEWjT
— CZ 🔶 Binance (@cz_binance) October 6, 2022
“The initial assessment of funds exfiltrated from BSC ranges from $100 million to $110 million. However, thanks to the actions of the community, as well as our internal and external security partners, about $7 million has already been frozen,” said a Binance spokesperson on Reddit.
BSC Token Hub is the internal cross-chain bridge of the BNB Chain ecosystem. It enables transfer of tokens between the governance blockchain BNB Beacon Chain and the consensus layer of the BNB Smart Chain (BSC).
According to Binance CEO Changpeng Zhao, the attackers exploited an exploit that “led to the appearance of additional BNB”. The project team asked validators to suspend operations on the BSC.
The BNB Chain team published a code update. Activation by validators of the hard fork would lead to:
- blocking the hacker accounts;
- freezing transfers of assets between the BNB Beacon Chain and the BNB Smart Chain.
Update📢 BSC validators are coordinating to bring back BNB Smart Chain (BSC) in an hour with the latest release https://t.co/d2gIsRlGDC
It includes:
1.Stopping hacker accounts from acting1/2
— BNB Chain (@BNBCHAIN) October 7, 2022
Developers said that after validators confirmed their status the network is “operating normally.” The infrastructure upgrade continues.
📢BNB Smart Chain (BSC) is running ok from 20+ mins ago.
The validators are confirming their status and the community infrastructure are upgrading as well.
— BNB Chain (@BNBCHAIN) October 7, 2022
Zhao emphasized that the “problem is localised,” and users’ funds are “safe.” According to BscScan, at time of writing the network is not producing blocks.
According to DeBank, the attackers’ address holds digital assets worth over $544 million — about 80% of the funds (~$433 million) are on the BNB Chain and cannot be withdrawn.
Researchers Paradigm under the handle samczsun explained that a critical vulnerability in the BSC Token Hub allowed attackers to perform a double-spend attack.
Either Binance was finally running the biggest giveaway that Web3 had ever seen, or the attacker had found a critical bug
— samczsun (@samczsun) October 6, 2022
According to SlowMist, the attackers funded the attack from addresses belonging to the ChangeNOW crypto-exchange. After performing the exploit they deposited 900,000 BNB into Venus Protocol to open overcollateralized positions worth $147 million.
The hacker stole a total of 2 Million BNBs in two transactions.
Then deposited 900,000 $BNB to @VenusProtocol as collateral to borrow:
~62M $BUSD
~50M $USDT
~35M $USDC pic.twitter.com/FvnA4pyqSt— SlowMist (@SlowMist_Team) October 7, 2022
The Venus Protocol team stressed that users’ funds are safe. The developers said that the hackers will either repay the loan and liquidity returns to pre-attack levels, or disappear with the borrowed stablecoins and positions will be forced to liquidate slowly.
2/2 There are 2 options next:
*The borrower refunds hir/her loans, liquidity returns to the protocol immediately and APY drops back to normal.
*He/She doesn’t refund and disappear with the borrowed stablecoins = The account will accumulate interest and slowly get liquidated.
— Venus Protocol (@VenusProtocol) October 6, 2022
In September 2022, the market-maker Wintermute lost assets worth $160 million in a hacking attack.
Follow ForkLog’s Bitcoin news on our Telegram — crypto news, prices and analysis.