Last night, a hacker managed to steal 2 million BNB tokens (over $560 million) from the BSC Token Hub, the bridge used to transfer cryptocurrencies between the BNB Beacon Chain and the BNB Smart Chain. Some of the funds were frozen, but the hacker still managed to keep the equivalent of $100 million on different blockchains.
NBB Chain saved by Binance and validators
Early last night, block production was halted on Binance’s blockchain, the BNB Chain, following the exploitation of the BSC Token Hub bridge that could have cost more than $560 million.
Due to irregular activity we’re temporarily pausing BSC. We apologize for the inconvenience and will provide further updates here.
Thank you for your patience and understanding.
– BNB Chain (@BNBCHAIN) October 6, 2022
” We are temporarily shutting down the NBB Smart Chain due to abnormal activity. We apologize for the inconvenience and will keep you updated here. Thank you for your patience and understanding. “
The first suspicions of a hack were raised by Zane Huffman, head of strategy for decentralised finance (DeFi) platform Vesper Finance, on Twitter:
Some gigawhale (possibly Binance) is making a massive on-chain leverage play in real-time.
Looks like a huge concentrated bet: Long $ETH vs stablecoins using $BNB collateral.https://t.co/5GFCv8AEzR
– GREEN JEFF (The Bread 9) (@jeffthedunker) October 6, 2022
Effectively, after only 2 transactions, an unknown wallet transferred more than 2 million BNB tokens (more than $560 million) on different blockchains and protocols. At that time, it was impossible to know if the movements were the work of a whale or if it was a hack.
After multiple investigations, the NBB Chain teams confirmed that the blockchain shutdown was due to a hack on the cross-chain BSC Token Hub bridge, which is used to transfer tokens between the NBB Beacon Chain (BEP2) and the NBB Smart Chain (BEP20 or BSC).
Although the hacker transferred some of the stolen cryptocurrencies, 80% of the funds (~$430 million) remained on the NBB Chain, so the majority of the funds were frozen following the blockchain shutdown. The network has been updated with additional code to prevent the hacker from being able to transfer funds.
At the time of writing, the NBB Smart Chain has been restarted and block production has resumed.
It is worth noting that many people have been critical of the speed with which the blockchain has been brought to a halt, a sign of the blockchain’s centralization due to its reduced number of validators.
How did the hacker do it
As of yet, the methodology used by the hacker has not been confirmed via an official post mortem, but according to @samczsun, a researcher at Paradigm, he would have exploited the BSC Token Hub’s code to “convince” it to transfer 1 million BNB tokens to him on 2 occasions.
Either Binance was finally running the biggest giveaway that Web3 had ever seen, or the attacker had found a critical bug
– samczsun (@samczsun) October 6, 2022
“Either Binance decided to launch the biggest airdrop Web3 has ever seen, or the hacker found a critical flaw. “
Without going into detail, Binance’s bridge has to verify certain information when a request is sent to it to transfer cryptocurrencies, and the hacker reportedly found a way to bypass those verifications.
In short, there was a bug in the way Binance’s bridge checked for evidence, which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker only forged two messages, but the damage could have been much worse. “
Once the first million BNB tokens were in his possession, the hacker deposited them on the DeFi Venus Finance protocol, notably to borrow $150 million in stablecoins (USDC, USDT, BUSD) before swapping them to obtain $53 million in Ether (ETH), $57 million in PHM tokens and finally $400,000 in MATIC tokens.
The other million BNB tokens obtained were sent in full to the Stargate bridge.
Overview of the hacker’s wallet on different blockchains
So, at this stage, all the funds held by the hacker on the NBB Chain have been frozen, and Tether has blacklisted his address. It remains to be seen what he will do with his funds held on other blockchains.
The price of the BNB token was however only slightly affected. Indeed, following an impressive short-term fall, the token has stabilised at around $285, a difference of $8 from its initial price of $293 before the panic.
