It was confirmed Thursday by Binance, the largest cryptocurrency exchange in the world, that hackers stole at least $100 million.
Following the discovery of a vulnerability in the BSC Token Hub cross-chain bridge, the Binance blockchain (also known as BNB Chain and Binance Smart Chain) temporarily halted all transactions and withdrawals. These interchain connections are made to make it easier to move assets from one decentralized blockchain to another.
Due to the flaw in the BSC Token Hub bridge, an attacker could forge messages and create their own BNB tokens. Tokens were not taken from users’ wallets that contained preexisting tokens, so no user funds were compromised.
The BNB Chain team revealed in a blog post on Friday that a hacker initially withdrew 2 million BNB (around $568 million). According to blockchain security firm SlowMist, the attacker only made off with around $110 million because the vast majority of the stolen tokens, worth around $430 million, couldn’t be transferred as Binance suspended all transactions on the BNB Chain.
In a tweet, Binance CEO Changpeng Zhao said the hack could cost the company between $100 million and $110 million.
An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.
— CZ 🔶 Binance (@cz_binance) October 6, 2022
Binance’s spokesperson, Ismael Garcia, declined to elaborate beyond the BNB Chain team’s blog post, which states that the network has been restored to normal operation. In order to prevent and respond to potential attacks in the future, the BNB Chain will implement a new form of on-chain governance, according to a recent blog post.
The tech lead of the Triaging Team at web3 bug bounty program provider Immunefi, Adrian Hetman, stated that the flaw can be found in the way Binance Bridge handles the proofs of transactions that move funds from one blockchain to another. If a user submits a valid message proof, the payout will be processed.
The hacker successfully forged a message that fooled the contract’s logic into thinking the message was valid, even though the hacker had no legitimate claim to the funds. The payout was processed by BSC Token Hub after confirming its legitimacy.
In the past year, hackers have increasingly targeted cross-chain bridges. Harmony’s Horizon Bridge had $100 million stolen from it by a hacker in June, and the Nomad cross-chain bridge had $190 million worth of cryptocurrency stolen by attackers in August. According to Chainalysis, a blockchain data firm, approximately $2 billion worth of cryptocurrency has been stolen in cross-chain bridge hacks so far this year.
In March of this year, hackers attacked Axie Infinity’s Ronin Bridge and made off with $625 million.
Do you have any thoughts on this article? Let us know what you think in the comments section below.
Here is another article that you may find very interesting.