DeFi Protocol Ankr Hit By Multi-Million Dollar Exploit

With the crypto industry’s focus on the FTX fiasco, DeFi hackers have been making merry, hitting Ankr, and as per information available, stealing $5 million.

Hackers were able to exploit an unlimited minting bug. The DeFi protocol stated it is working with exchanges to mitigate the hack’s impact. 

Ankr Falls Victim To Exploit 

Ankr, a BNB Chain-based decentralized finance (DeFi) protocol, has confirmed that it has fallen victim to a multi-million dollar exploit. The attack occurred on the 1st of December and was discovered by on-chain security analyst PeckShield on the 2nd of December. Ankr confirmed the developments shortly after, stating on Twitter that hackers had managed to exploit the aBNB token. They also announced that they were working with exchanges to halt trading of the token in question. 

“Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.”

Details Of The Hack 

According to the available details, the hacker was able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc) thanks to a vulnerability in the smart contract for the token.

“Our analysis shows the $aBNBc token contract has an unlimited mint bug. Specifically, while mint() is protected with onlyMinter modifier, there is another function (w/ 0x3b3a5522 func. signature) that completely bypasses the caller verification to have arbitrary mint !!!”

PeckShield reported that the hacker had transferred around 900 BNB, worth around $253,000 into Tornado Cash. Additionally, the exploiter also bridged USDC and ETH to the Ethereum blockchain. According to PeckShield, the hacker holds 3000 ETH and around 500,000 USDC. 

The 20 trillion aBNBc tokens held by the attacker make them the 13th largest holder of the token. The aBNBc token is the reward-bearing token for BNB tokens staked on the Ankr platform. 

Vulnerabilities In The Smart Contract Code 

Blockchain security firm Beosin confirmed the source of the exploit, stating that it was likely due to vulnerabilities in the smart contract code, along with compromised private keys. According to Beosin, these vulnerabilities could have emerged from a technical upgrade carried out by Ankr. 

“@ankr has been exploited. $aBNBc has dropped -99.5%. The hacker minted tons of $aBNBc and made a profit of 5,500 BNB (~$1.6 million). The deployer changed the implementation contract to the vulnerable contract address before the attack (possibly due to private key compromise).”

A spokesperson for the security firm stated,

“It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract.” 

Binance Investigating The Exploit 

Binance, in a post on the 2nd of December, confirmed that its team was engaged with Ankr and other related parties and was investigating the matter further. It also added that no Binance user funds were at risk. 

“We are aware of the attack targeting @ankr’s aBNBc token. Our team is engaged with the relevant parties and @BNBCHAIN to investigate further. This is not an attack against #Binance, and your funds are SAFU on our exchange. This thread will be updated should there be any updates.”

ANKR And BNB Price Drops 

As a result of the developments, both ANKR and BNB saw a considerable drop in price. At the time the news of the exploit broke, the ANKR token dropped around 6.6%, falling to $0.0211. However, it has since recovered and is currently trading at $0.0216. The token is already over 90% down from its all-time high of $0.213. The BNB token also dropped, falling by 3.1%. However, this decline was attributed to a wider decline in the crypto markets. 

DeFi hacks had shot up drastically over the past couple of months, with October becoming the worst month in DeFi history. Several DeFi protocols, such as the Ethereum Alarm Clock Service, Polygon’s QuickSwap, Mango Markets, and others, fell victim to exploits.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Source: https://cryptodaily.co.uk/2022/12/defi-protocol-ankr-hit-by-multi-million-dollar-exploit