BNB Chain’s $566M Hack: Binance Network’s Major Bridge Attack Unpacked

Key Takeaways

  • BNB Chain suffered a $566 million exploit Thursday after a hacker tricked the BSC Token Hub bridge into sending them two million BNB.
  • The hacker took a novel approach to siphon the funds across other networks, making off with about $110 million.
  • The BNB Chain halted the network and is weighing an asset freeze, highlighting major centralization issues.

Share this article

The BNB Chain team temporarily halted the network in response to the attack, which speaks volumes about the network’s centralization issues.  

BNB Chain Targeted

Last night’s nine-figure hack on BNB Chain’s bridge has caused a major commotion in the cryptocurrency community. 

An attacker targeted the Binance-run blockchain network late Thursday, successfully making off with around $110 million worth of crypto. But while $110 million is by all accounts a pretty tidy paycheck for a few hours of work, it’s just a fraction of the overall size of the exploit. On-chain data shows that the attacker commenced the elaborate hack by tricking BNB Chain’s BSC Token Hub bridge into sending them two million BNB tokens worth about $566 million. According to Paradigm researcher samczsun, the attacker used a complex multi-step process to exploit a bug in the bridge, effectively forging the bridge’s code so that they could make two separate one million BNB withdrawals. The bridge sent the funds and continued to run as normal until multiple community members raised suspicions over the size of the withdrawals. The BNB Chain responded by halting the blockchain. 

Bridge Flaws Exposed 

The incident caught the crypto space’s attention partly due to the scale of the exploit. Though the hacker’s takings are currently around $110 million, the two million BNB theft places the incident on a par with other major attacks like the $552 million hack on Axie Infinity’s Ronin bridge in March. Once again, the BNB Chain exploit has sounded the alarm on the security risks of cross-chain bridges. As crypto has evolved and various Layer 1 networks have emerged alongside Ethereum (BNB Chain itself is essentially an Ethereum clone), demand for cross-chain interoperability has soared. That’s created an opportunity for bridges like BNB Chain’s product to cater to the market’s needs. Per Defi Llama data, the total value locked in crypto bridges is over $10 billion today, helped by BNB Chain and other networks soaring in popularity in 2021. 

While bridges are useful for connecting blockchains, they’re widely considered less secure than base layer networks like Bitcoin and Ethereum because they often use a central storage point to lock deposited assets. That’s led to a surge in hacks; an August Chainalysis report found that bridge hacks account for 69% of all crypto theft, with the takings topping $2 billion to date. 

While bridge hackers usually have different methods for stealing funds, they’re typically able to execute their attacks by exploiting shoddy code. The BNB Chain hack was no different; the attacker found a way to forge a proof so that they could make two fraudulent withdrawals. They quickly funneled the funds to different locations, meaning that a significant portion of the stolen funds was already on the move when the BNB Chain team decided to halt the network. 

Tracking the Attacker’s Moves 

Perhaps the most curious element of the hack has been the attacker’s activity following the exploit itself. Given the size of the haul, the hacker faced limitations in their options for laundering the funds—simply because bigger pots like this tend to draw more attention from crypto, on-chain investigators, and authorities alike. On-chain data shows that the hacker transferred their funds to multiple locations, but they took a novel approach that differs from most other similar thefts. 

As the Treasury Department noted when it banned Tornado Cash in August, hackers frequently turn to crypto mixers to siphon stolen funds. While the hacker could have pulled a similar move to cover their traces, they instead opted to deposit just under half of the takings into Venus Protocol, a lending product on BNB Chain. That may be because they would have struggled to exchange all of their BNB tokens without impacting the price; Tornado Cash takes deposits in ETH, DAI, cDAI, USDC, and USDT, meaning they would have had to trade their assets and move over to Ethereum to use it. 

By providing BNB as collateral on Venus, the hacker was able to borrow around $150 million in stablecoins. This is an interesting play because they borrowed USDT, USDC, and BUSD—centralized stablecoins that can be frozen by their issuers. Tether blacklisted at least $6.5 million of the haul, blocking the hacker from cashing out the USDT they borrowed. The hacker used several strategies to deploy their funds on other networks, converting much of the haul into ETH. 

Blockchain security firm SlowMist estimates that the hacker moved around $110 million from BNB Chain to six other Ethereum-compatible networks: Ethereum, Polygon, Fantom, Avalanche, Arbitrum, and Optimism. However, the bulk of the transferred funds have not yet been laundered, and the hacker has left most of the takings on BNB Chain. For such a sophisticated attack, they’ve left a huge sum of money on the table given that the stolen BNB could be frozen. 

BNB took a hit following the incident and is down about 3.5% today. Besides BNB, the hacker’s largest position is ETH—they currently have over $32.5 million sitting in this wallet

BNB Chain Responds 

The BNB Chain team responded to the incident as talk of the attack circulated on Crypto Twitter. The blockchain’s official Twitter account confirmed at 22:19 UTC that it had paused the network, noting that it had identified a “potential exploit.” Some applauded the team for the response, with Binance CEO Changpeng “CZ” Zhao saying that he was “impressed by the quick actions the [team] took.” However, the decision to halt the chain also prompted many to call out the blockchain’s centralized design. “You’re supposed to be immutable fren,” tweeted the Bitcoin DeFi project Stacks. Others posted memes of CZ to imply that he had full oversight of the network’s validators. 

Immutability is considered a key feature of blockchain and cryptocurrency technology, but controlled network halts expose centralization issues that throw that idea to sea. When a blockchain can be paused, it’s not immutable. The largest blockchain, Bitcoin, has never been halted since it launched in 2009. Bitcoin has over 10,000 full validator nodes worldwide, while Ethereum has just over 8,000. Like BNB Chain, Ethereum operates a Proof-of-Stake mechanism with over 400,000 validators securing the network. BNB Chain, meanwhile, relies on just 44. In a statement, the BNB Chain team said that “decentralized chains are not designed to be stopped,” adding that contacting the network’s 26 active validators prevented further damage. 

BNB Chain successfully restarted the network after syncing validators early Friday, and the network is now running as normal with the hacker’s wallet blacklisted. Questions remain over what will happen to the BNB and centralized stablecoins on BNB Chain, currently valued at over $426 million (the hacker still has $254 million worth of BNB collateralized against $147 million worth of stablecoins on Venus). Due to the scale of the attack, it’s likely that authorities will soon be involved, too. 

BNB Chain’s statement said that it would be down to the community to decide whether to freeze the hacked funds “for the common good of BNB,” and it’s also offering a bounty reward of 10% of the recovered funds for uncovering the hacker. The BNB Chain took responsibility for the incident in its note. “We want to apologize to the community for the exploit that occurred. We own this,” the note read. 

Disclosure: At the time of writing, the author of this piece owned ETH, USDT, MATIC, and several other cryptocurrencies. 

Share this article

Source: https://cryptobriefing.com/bnb-chain-566m-hack-binance-networks-major-bridge-attack-unpacked/?utm_source=feed&utm_medium=rss