The Ankr protocol hack, which cost $5 million on December 1, was triggered by a former team member, the project team announced on December 20.
The former employee conducted a “supply chain attack” by introducing malicious code into a package of future updates to the equipment’s internal software. After this software was updated, the malicious code created a security vulnerability that allowed the attacker to steal the device’s deployment key from the company’s server.
After Action Report: Our Findings From the aBNBc Token Exploit
We just released a new blog post that goes in-depth about this: https://t.co/fyagjhODNG
— Ankr Staking (@ankrstaking) December 20, 2022
Previously, the team had announced that the exploit had been caused by a stolen deployer key that had been used to update the protocol’s smart contracts. But at that time, they hadn’t explained how the deployment key had been stolen.
Ankr has alerted the local authorities and is trying to bring the attacker to justice. Also you are trying to strengthen your security practices to protect access to your keys in the future.
Updatable contracts like those used in Ankr are based on the concept of an “owner account,” which is the only one that has the authority to make updates, according to an OpenZeppelin tutorial on the subject. Due to the risk of theft, most developers transfer ownership of these contracts to a gnosis vault or other multisig account. The Ankr team claims that they have not used a multisig account for the property in the past, but will from now on, stating:
“The exploit was made possible in part because there was a single point of failure in our developer key. We will now implement multisig authentication for updates, which will require signing by all key custodians during restricted time intervals, making it extremely difficult to “It will, if not preclude, a future attack of this type. These features will enhance the security of the new ankrBNB contract and all Ankr tokens.”
Ankr is also committed to improving HR practices. He will require “escalated” background checks on all employees, even those who work remotely, and will review access rights to make sure sensitive data is only accessible to workers who need it. The company will also implement new notification systems to more quickly alert the team when something goes wrong.
The Ankr protocol hack was first discovered on December 1. It allowed the attacker to mint 20 billion Ankr Reward Bearing Staked BNB (aBNBc), which was immediately traded on decentralized exchanges for some 5 million USD Coin (USDC) and bridged to Ethereum. The team has stated that it plans to reissue its aBNBb and aBNBc tokens to users affected by the exploit and spend $5 million of its own treasury to ensure these new tokens are fully supported.
The developer too has deployed USD 15 million to recover the peg of the HAY stablecoin, which became under-guaranteed due to the exploit.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.