Hackers steal at least $100 million from Binance-linked blockchain

by · October 7, 2022

The world’s largest cryptocurrency exchange Binance lost at least $100 million in a hack on Thursday, the company revealed on Thursday.

According to ‘Binance CEO Changpeng Zhao, hackers exploited a vulnerability in the BSC Token Hub, a bridge that facilitates the transfer of assets between two Binance blockchains β€” BNB Beacon Chain and BNB Smart Chain.

The exploit in BSC Token Hub allowed hackers to create 2 million Binance digital tokens worth approximately $570 million. In an interview with CNBC, Zhao said that no users lost their money when hackers tried to siphon off just the extra tokens.

The value of BNB fell by nearly 4% on Friday, to $283 per coin, according to CoinMarketCap.

Initially, the hackers tried to withdraw all $570 million from Binance, but the company temporarily shut down the vulnerable network to fix the bug, leaving the cybercriminals with nearly $118 million in stolen funds, which they have already moved to other networks.

An estimated $7 million has been frozen, so the actual hack amount is around $100 million to $110 million, according to Binance.

Cross-chain bridge hacks are common in the crypto world, according to Zhao. These open-source blockchain-based smart contracts help users move between networks, but they have also become an attractive tool for cybercriminals to launder money.

Nearly $2 billion in cryptocurrency had been stolen in 13 cross-chain bridging attacks, most in 2022, according to blockchain research firm Chainalysis. A cross-chain bridge platform called RenBridge has been used to launder at least $540 million in cryptocurrency over the past three years, while in March hackers stole $600 million from a bridge behind the crypto-based video game Axie Infinity.

These attacks are a blow to the entire digital asset industry, which is suffering from falling crypto prices and a sharp drop in market capitalization – from more than $3 trillion last year to less than $1 trillion now.

Any attempt to hack crypto platforms undermines confidence in decentralized finance, which relies on algorithms and lacks regulation. “Software code is never error-free,” Zhao said.

In response to the attack, Binance suspended transactions and money transfers on the BNB Smart Chain for about eight hours, but restarted it on Friday morning.

Early on Friday, Binance posted on Reddit that the issue has been contained and users’ funds are safe.

How it happened

Hackers used the flaw in the evidence verifier of the bridge, meaning they convinced the system that they had valid claims to the funds, following cyber security firm Hacken.

“It’s just telling, man [the hacker] told the bridge “I transferred 1 million BNB to you on Beacon Chain, so you must give me 1 million BNB on Binance Smart Chain (BEP20),” Hacken wrote on Twitter.

Other researchers, including from Rekt and Paradigmcame to the same conclusion.

Instead of sending the newly minted BNB directly into the wallet, hackers deposited 900,000 BNB to the lending platform Venus Protocol, according to Hacken.

Hackers then ran to move the stolen funds to other chains, including Fantom, Avalanche and Arbitrum before Binance suspended the network. The suspension “allowed to save the network and the ecosystem from collapse, as the bridge had billions of dollars on balance,” according to Hacken.

What will be next

Binance said the community will hold a vote on what to do with the hacked funds. Participants will also decide on a bounty for catching hackers and identifying future bugs. The company plans to pay $1 million for each significant flaw found.

Binance will share the details of the hack and “any lessons on how to implement more advanced security measures” after the investigation. It will also introduce a new on-chain governance mechanism on the BNB chain to combat and defend against future possible attacks.

“We need to learn how to make the code more secure,” Zhao told CNBC. “In a blockchain world, one mistake can result in very large losses.”

At the time of publication, the company did not respond to an inquiry from The Record.

Daryna Antoniuk is a freelance reporter for The Record based in Ukraine. She writes about cyber security startups, cyber attacks in Eastern Europe and the state of the cyber war between Ukraine and Russia. She was previously a technology reporter for Forbes Ukraine. Her work has also been published in Sifted, The Kyiv Independent and The Kyiv Post.

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *