A statement on the official BNB Chain subreddit initially said about $100 million to $110 million was stolen, prompting the team to reach out to “validators to temporarily suspend BNB Smart Chain (BSC)” and contain the incident. A blog post released later said a total of two million BNB was stolen. The hacker reportedly got the BSC Token Hub to mint and send them one million BNB twice. The stolen loot was quickly traded for other crypto assets, including USD Coin. “There was an exploit affecting the native cross-chain bridge between BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC), known as “BSC Token Hub,”” the BNB Chain team explained. An investigation is ongoing, and the company said it would share more details with all parties after a “thorough postmortem.” At the time of writing this article, the Binance exchange has since resumed operations. Meanwhile, the CEO of Binance Changpeng Zhao has reassured users that their funds are safe.
Cross-Chain Bridge Exploit
BNB is the world’s fifth-largest crypto token, with a market value of over $40 billion. The price of BNB dropped after news of the hack late Thursday. Several security researchers have been looking into the breach. Without going into details, the BNB Chain team said the “exploit was through a sophisticated forging of the low level proof into one common library.” The head of security at crypto and Web 3 investment firm Paradise has analyzed the breach and shed more light on it in a Twitter thread. “In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse,” he noted. Prior to the breach, the hacker funded their wallet using the account-free instant crypto exchange company, ChangeNOW. In a statement on Friday, ChangeNOW said the hacker also moved funds through other crypto exchange platforms, including Uniswap, Curve Finance, SushiSwap, PancakeSwap, and Alpaca Finance. ChangeNOW said the hacker’s activity didn’t trigger alarm bells on its system as they “used a clean, freshly created address.” “The address was assessed by our AML system for any suspicious signs, and it was shown that it had never been involved in any malicious activity,” ChangeNOW explained.
Cryptocurrency Bridges Under Attack
This is the second major cyberattack on a cryptocurrency bridge this year. Hackers stole over $600 million worth of crypto from the Ronin bridge in March. Nomad also lost about $200 million in a bridge hack in August. “Looking at the broader picture, we have seen a series of attacks on targeting vulnerabilities in cross-chain bridges,” the BNB Chain team said. They have announced plans to introduce a “new on-chain governance mechanism” to prevent a similar incident. The BNB Chain team also said there will be “on-chain governance votes” to decide whether to freeze the stolen loot and whether to use the BNB Auto-Burn to “cover the remaining hacked funds.” “A coin burn refers to the process of permanently removing cryptocurrencies from circulation to reduce the total supply of the coin,” a blog post on the Binance Academy said, adding that this helps to increase the asset’s valuation. Binance also announced plans for a Whitehat program where hackers get $1 million for every major bug found, and a bounty of 10 percent for people who can recover stolen funds. Interested in learning how to protect your crypto assets from hackers and scammers? Check out our article on Bitcoin and cryptocurrency scams.