Hack Track: Analysis of Ankr Exploit
Merkle Science
As we settle into the new year, 2022 will likely be remembered by web3 and technology enthusiasts as the crypto ecosystem’s first major downturn. Throughout the year, crypto hacks led to over $3.7 billion in losses and the downfall of huge names such as Luna, Celsius, and FTX spread ripples across the industry - even causing the price of Bitcoin to drop below $16,000 for the first time in years. In the final month of 2022, Certik reported that the total amount of hacks, exploits, and scams recorded in December was the lowest of the year, totaling around $62.2 million.
Despite December being a slower month in terms of crypto crime, one event worth diving deeper into is the decentralized finance (DeFi) protocol ANKR’s smart contract exploit that resulted in the loss of $5 million worth of cryptocurrency. ANKR is a Binance-hosted, smart chain-based DeFi protocol that allows users to earn a yield on their cryptocurrency holdings. Recently, the company revealed that the breach was caused by a previous employee who exploited a vulnerability in the system.
This is not the first time that ANKR has faced security issues. In 2020, the company experienced a similar incident in which an individual was able to gain access to its systems and steal a small amount of cryptocurrency. In response, ANKR implemented additional security measures including the use of multisig wallets and the implementation of a bug bounty program. ANKR promptly halted trading and notified authorities and the affected liquidity providers.
ANKR’s latest exploit has reignited concerns about the security of DeFi protocols. The exploit was reportedly discovered after ANKR noticed unusual activity on one of its smart contracts. Upon further investigation, the company found that the said smart contract had been exploited to drain funds from the protocol's liquidity pool.
What Happened?
According to SolidityScan, a smart contract auditing firm, the ANKR hack was the result of a re-entrancy vulnerability in the protocol's smart contract code. This type of vulnerability allows an attacker to repeatedly call a function in a contract, potentially draining the contract's funds.
Though many on-chain analysis firms came to the conclusion that it could have been an exploit involving unlimited minting error, the ANKR’s findings reveal it was actually a supply chain attack utilizing social engineering as a delivery mechanism.
A supply chain attack involves a hacker targeting a weakness in a company's supply chain to gain access to the company's systems or to introduce malware into its products. These types of attacks can be particularly effective because the supply chain is often a weak link in an organization's cybersecurity hygiene.
There are several ways that hackers might use supply chain attacks to exploit DeFi protocols. For example, they might target a company that is building hardware wallets to potentially introduce malware into the wallets before they are shipped to customers. The malware could then be used to steal the private keys of the wallet's users, allowing the hacker to gain access to their assets.
Alternatively, a hacker might target a software company that is developing DeFi protocols in an attempt to introduce vulnerabilities into the code that could be exploited later. For example, the hacker might modify the code in such a way that it contains a backdoor, which allows the hacker to gain access to the system at a later date.
ANKR’s Response
To reimburse customers who lost funds in the hack, ANKR conducted a series of airdrops to its token holders. The airdrops were based on a snapshot taken of ANKR balances at the time of the hack, with affected users receiving a proportionate share of the airdropped tokens. The total value of the airdropped tokens was $15 million, which was used to compensate those who lost funds in the hack as well as to provide additional liquidity to the ANKR protocol.
In addition to the airdrops, ANKR also implemented new security measures to prevent future attacks. These measures included a security audit of the ANKR smart contract, as well as the deployment of new security protocols and the creation of a bug bounty program to encourage the reporting of vulnerabilities. Additionally, ANKR will now require escalated background checks for all employees - including all contractors and remote workers - while taking extra measures to verify the current status of those currently working at ANKR.
Moreover, following the exploit, ANKR unveiled its recovery plan to reimburse the affected users and further strengthen the security of the network. This included:
- Creating a process for affected community members to report their losses and request reimbursement
- Allocating funds from the ANKR Ecosystem Grant Fund to cover the cost of reimbursement
- Implementing additional security measures and audits to prevent future exploits
To protect against supply chain attacks and other cybersecurity threats, companies in the DeFi space should consider implementing robust security protocols, conducting regular security audits, and providing employee training on how to identify and report potential threats. By taking these precautions, DeFi companies can help ensure the security and stability of their systems, which is essential for building trust with users and enabling DeFi to reach its full potential in the years ahead.
Insights from Merkle Science’s On-Chain Analysis
According to Merkle Science’s investigation, on December 2nd, 2022, at 12:43:18 AM +UTC, the attacker transferred over 10 Tr aBNBc to his address. Simultaneously, the attacker executed a similar exploit on the ETH blockchain involving over 1 million ANKR tokens.
Subsequently, the exploiter proceeded to convert aBNBc tokens to BinanceUSDC tokens via swaps. Following this, a portion of the BinanceUSDC tokens were further converted to USDC tokens and then to ~3,370 ETH on the ETH blockchain. During our investigation, we observed that ~3,360 ETH was sent to Tornado Cash through multiple transactions.
A fraction of the Binance USDC tokens have been swapped for 5500 BNB tokens, of which 900 BNB was transferred to Tornado cash via multiple transactions at the time of writing.
Majority of the remaining BNB was sent to multiple swap and send services, post which the BNB was transferred to multiple addresses that potentially belong to the exploiter.
One such example address (Associate 1) is where we witnessed transfers as recent as six days ago. Associate 1 is associated with the exploiter’s address and has received 100 BNB directly from the attacker's address as well as an additional ~900BNB from other addresses.
These funds were later sent to a different address which could be an address owned and controlled by a prominent exchange, where 1000 BNB of the stolen funds are currently sitting.