The decentralized finance (DeFi) protocol based on-chain BNB, Ankr, has confirmed that it has been the target of a multi-billion dollar attack on December 1st.
The attack appeared to be discovered first reported by on-chain security analyst PeckShield at approximately 12:35am UTC on December 2.
An hour after the attack, Ankr confirmed on Twitter that the aBNB token had been exploited and that it was working with exchanges. to immediately stop trading the compromised token.
Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.
—Ankr (@ankr) December 2, 2022
Our aBNB token has been exploited, and we are currently working with exchanges to immediately stop trading.
The attacker was allegedly able to mint 20 billion Ankr Reward Bearing Staked BNB (aBNBc), a rewarded token for the BNB (BNB) staked in the protocol.
According to a Twitter post by on-chain analytics firm Lookonchain, the hacker has since used services like Uniswap, Tornado Cash, and various bridges to exchange and obfuscate the funds in order to earn around $5 million USD Coin (USDC).
Also added in a subsequent post that says that “all underlying assets in Ankr Staking are safe at this time, and none of the infrastructure services are affected.”
Seems that @ankr got hacked an hour ago!
The exploiter minted 20T aBNBC and dumped it on #pancakeswap.
At present, the exploiter has successfully exchanged more than 5 million $USDC.https://t.co/hF1tgNYw0t pic.twitter.com/XIPjBi6wvs
— Lookonchain (@lookonchain) December 2, 2022
Looks like @ankr got hacked an hour ago! The exploiter minted 20T of aBNBc and dumped it into PancakeSwap. At the moment, the exploiter has successfully exchanged more than 5 million USDC.
In comments to Cointelegraph about the attack, the blockchain security firm Beosin suggested that the exploit was likely the result of vulnerabilities in the smart contract code combined with the compromised private keys, which can stem from a technical update from the Ankr team about 12 hours ago.
Beosin also noted that the massive minting episode caused the aBNBc price to drop 99.5%, from $303.89 to $1.53 in a matter of hours.according to data from CoinMarketCap.
@ankr has been exploited. $aBNBc you have dropped -99.5%.
The hacker minted tons of $aBNBc and made a profit of 5,500 BNB (~$1.6 million)
The deployer changed the implementation contract to the vulnerable contract address before the attack (possibly due to private key compromise). pic.twitter.com/GJheXh0oDp— Beosin Alert (@BeosinAlert) December 2, 2022
@ankr has suffered an exploit. aBNBc has fallen by -99.5%. The hacker minted tons of aBNBc and made a profit of 5,500 BNB (~$1.6 million). The implementer changed the implement contract to the address of the vulnerable contract before the attack (possibly due to private key compromise).
“It is possible that the deployer’s private key was exposed in this update, leading an attacker to use the deployer’s privileges to modify the contract,” a Beosin spokesperson said. to Cointelegraph.
In a December 2 Twitter post, cryptocurrency exchange Binance confirmed that his team is engaged with the relevant parties to further investigate the matter, adding that Binance user funds are not at risk. The BNB Chain Twitter page also stated that the hacker’s wallet address has been blacklisted.
We are aware of the attack on @ankr‘s aBNBc that happened earlier today, leading to a substantial amount of new aBNBc being minted. The exploiter has been blacklisted.
Our community is on top of it, coordinating a response. We will provide more updates as they become available.—BNB Chain (@BNBCHAIN) December 2, 2022
We are aware of the attack on aBNBc by @ankr that occurred earlier today, which led to the minting of a substantial amount of new aBNBc. The hacker has been included in our blacklist. Our community is aware, coordinating a response. We will provide further updates as they become available.
Cointelegraph contacted Ankr when the exploit was first discovered, but did not receive an immediate response.
Update 4:30am UTC Dec 2: Added in an official Ankr statement comments from Beosin.
Update 5:30am UTC Dec 2: Added a statement from Binance’s BNB Chain Twitter account.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.