The third largest bridge hack has occurred on the BNB Chain, with $568 million worth of funds being stolen by the hacker.
Here’s what happened, and some of the lessons learnt from this hack:
How did the hack happen?
The root cause of the hack was Binance’s BSC Token Hub, a cross-chain bridge that facilitates transfers between 2 separate networks on the BNB Chain: BEP2 (BNB Beacon Chain) and BEP20 (BNB Smart Chain).
BSC Token Hub is the bridge between BNB Beacon Chain (BEP2) and BNB Chain (BEP20 or BSC).
— CZ 🔶 Binance (@cz_binance) October 6, 2022
This allowed users to deposit tokens they had on one chain, and they will receive these tokens on the other chain.
The hacker managed to convince the Token Hub that he had deposited 2 million BNB tokens, and this allowed him to receive 2 million BNB tokens (on BSC) without depositing anything!
The answer was that the attacker had somehow convinced the Binance Bridge to simply send them 1,000,000 BNB. Twice. pic.twitter.com/kgafYlzIP2
— samczsun (@samczsun) October 6, 2022
You can find out how the 2 networks, Beacon and Smart Chain, differ here.
What happened next?
After receiving these BNB tokens, the hacker tried to move these funds across other blockchain networks.
Since BNB is not as interoperable as other assets, the hacker deposited 900 BNB into Venus Protocol as collateral, and borrowed stablecoins like BUSD, USDT and USDC.
Afterwards, the hacker used a cross-chain bridge to move these assets to other EVM-compatible networks, including:
The total stolen funds from BSC TokenHub Exploiter are 2M BNB (~586M loss), and here comes the ~$89.5m stolen funds that have been moved off-chains to others (~58% to @ethereum, ~33% to @FantomFDN and ~4.5% to @arbitrum). @BNBCHAIN @cz_binance @CoinDesk https://t.co/fuRvGSMo71
— PeckShield Inc. (@peckshield) October 7, 2022
In fact, you can view the hacker’s entire portfolio on our platform:
At this point, all 44 validators on the BNB Chain were contacted to stop operations and the chain was eventually halted.
Due to irregular activity we're temporarily pausing BSC. We apologize for the inconvenience and will provide further updates here.
Thank you for your patience and understanding.
— BNB Chain (@BNBCHAIN) October 6, 2022
This essentially froze all of the hacker’s remaining assets (around 1.1 million BNB) on the BNB Chain, which helped to reduce the damage of the hack.
Furthermore, the hacker’s address, ‘0x489a8756c18c0b8b24ec2a2b9ff3d4d447f79bec’, was blacklisted by Tether, which froze a significant amount of USDT that the hacker was holding.
looks like the bnb was a hack. blacklisted tether pic.twitter.com/tHq9ALguOH
— icebergy ❄️ (@icebergy_) October 6, 2022
A blacklist by Tether would mean that the hacker is unable to transfer out any USDT he has in his wallet.
As a result, the hacker only managed to get away with $110 million.
6. The exploit amount transferred from BSC before the suspension is ≈ $118M
As from cz_binance and on-chain data, approximately $7-8M have been frozen on Ethereum, Avalanche, and Arbitrum networks
🟢 So, the actual hack amount is around $110M
— Hacken🇺🇦 (@hackenclub) October 7, 2022
During the chaos, BNB Chain issued a new upgrade for all validators, primarily aimed at freezing the hacker’s funds.
Update📢 BSC validators are coordinating to bring back BNB Smart Chain (BSC) in an hour with the latest release https://t.co/d2gIsRlGDC
1.Stopping hacker accounts from acting
— BNB Chain (@BNBCHAIN) October 7, 2022
Within a few hours, the BNB Chain was back online, and they provided an update on the next steps they will be taking:
UPDATE: Official BNB Chain Response.
We're humbled by the support, hard work, and dedication from the community of which we are proud to be a part.https://t.co/r0TcZYxFzJ
— BNB Chain (@BNBCHAIN) October 7, 2022
An on-chain governance vote would be held, where the community will help in deciding these 4 proposals:
- To freeze or unfreeze the hacked funds
- To use BNB Auto-Burn to cover the remaining hacked funds
- To create a Whitehat program for future bugs discovered, with a bounty of $1M for each significant bug
- To create a bounty for catching hackers, with rewards of up to 10% of the recovered funds
Lessons learnt from the hack
Here are some key takeaways we can gather from this latest crypto hack:
#1 Cross-Chain bridges are a major vulnerability
Vitalik Buterin, founder of Ethereum, previously mentioned that cross-chain applications have significant security risks.
My argument for why the future will be *multi-chain*, but it will not be *cross-chain*: there are fundamental limits to the security of bridges that hop across multiple "zones of sovereignty". From https://t.co/3g1GUvuA3A: pic.twitter.com/tEYz8vb59b
— vitalik.eth (@VitalikButerin) January 7, 2022
The basis of how a bridge works is that:
- You deposit a token on Chain A and it gets locked up in a smart contract
- You receive the same token but on Chain B, which is free to be used
As a result, bridges have a lot of assets that are locked up, which is why they are the prime target for hackers.
Before the BNB Chain hack, almost $1.4 billion has been stolen from cross-chain bridges in 2022 alone!
Moreover, there are many components to a cross-chain bridge which are usually managed by different stakeholders.
So long as one component is exploited, the entire bridge can be hacked!
2/ Cross-chain bridges usually involve multiple parties in their implementation, including the contracts on both source and target chains and the relays (validators) sitting in the middle. Any vulnerability in either party can cause huge financial loss. pic.twitter.com/JJf0XzpzE0
— BlockSec (@BlockSecTeam) October 7, 2022
To ensure that cross-chain bridges are not hacked in the future, BlockSec suggested active monitoring of every bridge transaction to ensure that they are valid.
3/ To secure the bridge, active monitoring should be taken.
· Monitoring the deposit and withdrawal events on source/target chains to ensure they are coupled
· Deploying an off-chain agent that cross-checks the balances in the on-chain contracts and off-chain agents
— BlockSec (@BlockSecTeam) October 7, 2022
After this event, we can only hope that the security of the bridge is prioritised to ensure the safety of our funds!
#2 The BNB Chain may not be truly decentralised
There have been many Layer 1s that claim to be the next ‘Ethereum killer’, and the BNB Chain is one such competitor.
While it has faster speeds and lower transaction fees compared to Ethereum, it can be argued that it is not sufficiently decentralised.
There are only a total of 26 active validators on the BNB Chain, and you can view them here.
This pales in comparison to the number of validators on the Ethereum network, where there are more than 440k of them!
While the BNB Chain was able to be halted rather quickly, this also shows that there is still a central entity that controls the blockchain.
CZ, the founder of Binance, argues that decentralisation should not be absolute, and there should be a gradient (or degree) of decentralisation.
From 3 years ago, still pretty much the same.
» CZ on Centralization Vs. Decentralization | Binance Blog https://t.co/0KtvEnMWGb
— CZ 🔶 Binance (@cz_binance) October 8, 2022
In the blog post above, CZ mentioned that having a small initial team is beneficial, even though it is more centralised. This is because it allows faster decision-making and a higher degree of efficiency.
Patrick Hillman, the chief communications officer at Binance, was also quoted as saying “Because those 26 validators are able to work with one another so quickly, they’re able to prevent that worse case scenario from happening.”.
There definitely are both pros and cons in the BNB Chain’s approach to developing a blockchain network, and it still remains to be seen what is the most effective way moving forward.
With yet another major crypto hack happening, we can only hope that developers are paying attention and prioritising the security of their decentralised applications (DApps)!
🔍 Navigate the DeFi Space NOW with Krystal!
Start your journey NOW on Desktop, iOS or Android
📱 Social Media
- Follow us on Telegram:
Announcements | Krystal Global | Krystal Vietnam 🇻🇳| Krystal Korea 🇰🇷 | Krystal Turkey 🇹🇷 | Krystal Africa 🌍 | Krystal Indonesia 🇮🇩 | Krystal India 🇮🇳 | Krystal Bangladesh 🇧🇩