Hack Track: Analysis of the BNB Smart Chain Exploit
Merkle Science
Introduction
BNB Smart Chain, the blockchain of prominent crypto exchange Binance suffered a $570 million exploit, with attackers swindling over $110 million worth of cryptocurrency.
On October 6, 2022, Changpeng Zhao (CZ), CEO and co-founder of the Binance Network, took to Twitter to confirm the exploit and assure the users that their funds were safe, he tweeted that “An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to suspend BSC temporarily.” The issue is contained now,” CZ continued. “Your funds are safe.”
BNB chain comprises of BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC). This exploit affects the cross-chain bridge BSC Token Hub that connects the two chains.
This is the latest in the series of security incidents suffered by the Web3 industry. Losses from hacks and exploits have reached around $2 billion in 2022, propelled by the surge in DeFi exploits, especially, attacks on cross-chain bridges. According to Merkle Science data, out of the $2 billion lost in hacks, over $1.6 billion has been swindled from DeFi protocols.
What Happened?
According to security experts at BlockSec and Paradigm, the hacker withdrew 2 million BSC tokens in two transactions. This is equivalent to around $569 million at current prices for BSC. According to Sam Sun, the Head of Security at Paradigm, the attacker managed to dupe the Binance Bridge into sending out 1 million BSC tokens on two separate occasions. Thenceforth, the attacker found a way to forge proof for block 110217401. Sam Sun concluded that a bug in the way that the Binance Bridge verified proofs allowed attackers to forge arbitrary messages. Read his full analysis here.
Initially, recognizing an irregular activity, BNB Chain tweeted that it is pausing BNB Smart Chain while working to confirm the exploit. After determining the exploit on the cross-chain bridge, a Binance Smart Chain representative confirmed that it is taking coordinated action with validators to temporarily suspend BNB Smart Chain i.e all deposits and withdrawals via the BNB Smart chain are temporarily suspended.
The official response by BNB Chain highlighted that though “decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading. It was not that easy as BNB Smart Chain has 26 active validators at present and 44 in total in different time zones. This delayed closure, but we were able to minimize the loss.” The response also confirmed the speculation that initially 2 million BSC was withdrawn and the exploit was conducted through a sophisticated forging of the low-level proof into one common library. Therefore, as a result of the halt, despite 2 million BSC being targeted, the actual loss suffered is much lower. Ultimately, BSC estimated $100 to $110 million in assets were moved off-chain but said in a tweet that $7 million was already frozen.
What Happens Next?
At the time of writing, the BNB Smart Chain is up and running again. The official response states that on-chain governance votes will determine the four actions for the common good of BNB including:
- Whether or not to freeze hacked funds
- Whether or not to use BNB Auto-Burn to cover the remaining hacked funds or not
- Putting in place a Whitehat program for future bugs, rewarding $1 million for each bug discovered
- Bounty for catching hackers — up to 10% of recovered funds will be given as rewards
Further, a new on-chain governance mechanism will be introduced on the BNB Chain to fight and defend against future possible attacks. Read the full response here.
Merkle Science On-Chain Analysis
According to Merkle Science's analysis, the attacker managed to manipulate the Binance Smart Chain by forging the proof of block 110217401 and transferring 2 million BNB to his newly generated wallet addresses - 0x489A8756C18C0b8B24EC2a2b9FF3D4d447F79BEc.
The stolen funds were then swapped to other crypto assets both within the BNB chain as well to other blockchains including Ethereum and Polygon. In the first case, the attacker sent deposited the funds into Venus Protocol — a decentralized finance (DeFi) algorithmic money market protocol on BNB Chain. Post that the attacker used the Venus platform to open an over-collateralized position of approximately $254 million and borrowed $147.5 million in stablecoins against 900,000 BNB Tokens deposited. At the time of writing the funds are sitting in the Venus Protocol. The stablecoins borrowed include 62 million BUSD, 35 million USDC, and 50 million USDT
As mentioned above the attacker also bridged funds to the following blockchains::
~$59M USD to Fantom
~$53M USD to Ethereum
~$400,000 USD to Polygon
~$1.1M USDC to Optimism
~$9.6M USD to Avalanche C-Chain
At 4:05 today, BNB Chain tweeted that they have suspended the BSC Chain after having determined a potential exploit. Since the BNB chain was suspended, the around $430 million sitting on it could not be transferred further.
Merkle Science’s investigation team is following the BSC exploit closely. Stay tuned for a detailed analysis of the exploit and further updates.