$100 Million BNB Chain Exploit - How it happened.
Series of events the lead to the hack and the aftermath.
BSC Token Hub, the BNB bridge between the old Binance Beacon Chain and BNB Chain [Previously known as BSC] was exploited to mint two lots of 1M BNB directly to the hacker’s address.
The stolen 2M BNB amounts to $586M, but the hacker managed to siphon just $127M to other chains before losing access to the rest of the funds.
After noticing the irregular activity, BNB Chain was halted for close to 8 hours.
The attacker exploited the BNB bridge through falsified proof of deposit on the legacy Binance Beacon Chain. The bridge uses the IAVL verification process to verify the proof of deposit which is found to be vulnerable.
The Hacker forged the verification proofs with arbitrary messages.
With this falsified proof of balance, the hacker was able to convince the Binance Bridge to send 1M BNB tokens to the hacker’s address. Twice.
Hacker anticipated Binance to halt the chain to lock the funds, and moved quickly to transfer funds to other chains.
Rather than dumping the BNB directly and drawing attention to the price action, funds were deposited as collateral on the BSC lending platform Venus Protocol.
The strategy of borrowing rather than dumping initially led some to believe that this could be a gigawhale moving funds around. In a few hours, users began to notice high-slippage swaps and Tether blacklisting funds.
After transferring 900k BNB to Venus Protocol, borrowing a total of $147M in stablecoins, before bridging to Ethereum and L2s, Fantom, Avalanche, and Polygon networks.
The BNB team halted the chain, ~90 mins after the second transaction, and the hacker lost access to the ~$430M which remained on the chain.
BNB Chain was restarted after 8 hours of halting.
With just 26 active validators on the BNB chain is centralized to large extent, which allowed the team to halt the chain.
Binance has decided to include governance votes to decide on whether to freeze or burn the stolen funds and establish Bug Bounty and whitehat bounty programs.
Subtle_Crypto is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.