Binance hack siphons US$110 million

Investing

Binance Bitcoin logo seen displayed on an Android phone. | Photo Illustration by Avishek Das/SOPA Images/LightRocket via Getty Images

Hackers stole an estimated US$110 million late Thursday night from Binance’s BNB Smart Chain (BSC), the latest in a string of attacks involving cross-chain bridges this year. The chain was suspended in the early hours of the heist but was restarted Friday morning.

Shortly after the exploit, Binance CEO Changpeng Zhao announced that validators were turned off to completely stop the network while the team investigated the attack. Hackers attempted to drain $560 million by minting 2 million BNB tokens and depositing them into a BNB wallet.

“The attacker had somehow convinced the Binance Bridge to simply send them 1,000,000 BNB. Twice,” samczsun, research partner and head of security at crypto research firm Paradigm, tweeted.

The hacker was able to get their hands on as much as $110 million worth of coins and transfer them out of BSC, while a further US$429 million remains in the BNB wallet. Validators will vote “in the next few days” on whether to use BNB auto-burn, a process used to keep the supply of BNB under 100 million, to recover the hacked funds, according to a company blog post.

BNB’s price fell US$10 shortly before the hack, before stabilising at around US$281 per coin.

According to analysts and on-chain data, the hackers successfully exploited a bug in the bridge’s verified proofs that allowed them to forge approval messages and deposit the funds into their account.

“Fortunately, the attacker here only forged two messages, but the damage could have been far worse,” samczsun concluded.

Some of the stolen funds have been frozen, according to a Binance post on Reddit. Tether, the parent company of stablecoin by the same name, froze US$6.5 million of funds that was transferred to its blockchain and traced back to the hackers.

The expected validator vote will also include a bounty for catching the hackers (up to 10% of recovered funds) and creating a so-called whitehat program that will award $1 million to benevolent hackers that find and report “significant” bugs, according to the blog post.

The exploit was neither the first nor the largest, cross-chain hack this year. Over US$2 billion has been stolen this year, establishing cross-chain bridges as the Achilles heel of decentralized finance (DeFi). Blockchain bridges allow users to transfer assets from one chain to another, locking the assets from one chain within the bridge while minting the equivalent on the other. This liquidity held within the bridges makes them likely targets for hacks, especially for decentralized protocols that have their data and code publicly available on websites like Github.

Just this week, hackers stole $28.9 million from decentralized exchange Transit Swap, 247 Wall Street reported, and Sovryn, a Bitcoin-based DeFi protocol, lost US$1 million in crypto, according to Bitcoinist.

Avatar of Maria Gracia Santillana Linares
Forbes Staff
Topics: