Binance's BNB cryptocurrency hit by massive $569 million hack
Early on Friday, after a hacker stole $568.6 million worth of BNB Binance chain native tokens, cryptocurrency exchange Binance resumed operations on its BSC Token Hub smart contract.
Without providing any information, the business claims that "the great bulk of the monies remain under control." According to a corporate post on Reddit, had frozen $7 million of the stolen money.
On Thursday night, PeckShield, a blockchain security company, said that the attacker transferred $89.5 million of the stolen money off the Binance chain. As of early Friday morning, the blockchain security company CertiK estimated the sum to be $110.7 million.
In order to "block hacker accounts from acting," the corporation changed the vulnerable contract to version v1.1.15 and claims to "own(s) this [the attack]." It made no mention of how it would achieve this.
Around 7:00 a.m. UTC on Friday, the business stated that more upgrades are anticipated, even as validators check their statuses in parallel.
A consensus process is used by the BSC Token Hub, and transactions must be approved by many validators. Out of the 44 total validators, 26 are currently active.
"Decentralized chains are not intended to be halted, but we were able to stop the issue from spreading by getting in touch with community validators one by one. Due to the delay in closing, we were able to reduce the loss, "The business claims.
The attack on the cross-chain bridge is the most recent in a string of similar incidents. According to blockchain security firm Chainalysis, $2 billion worth of bitcoin has been taken from bridges this year. According to the report, 69% of the cash taken in 2022 up through July was committed in bridge attacks.
The most recent event ranks third in terms of the size of cross-chain bridge attacks over the previous two years, behind only the $615 million Ronin Network theft and the $612 million Poly Network incident.
The BSC Token Hub bridge was able to accept forged proof messages sent by the attacker. According to CertiK, the problem was probably caused by the bridge's incomplete verification of the Merkle proof to the root hash, which allowed the attacker to create forged proofs from a prior, legal one and mint BNB straight to their wallet. It says that the assault is distinctive since the hacker created fresh money instead of stealing already-existing ones.
The attack seems to have started on Thursday at approximately 10:00 p.m. UTC. PeckShield informed ISMG at the time that the attacker's wallet displayed cryptocurrency valued at around $586 million at 1:00 a.m. UTC.
In a series of tweets, well-known crypto researcher @samczsun, a researcher at web3 investment business Paradigm, described the technical specifics of the assault procedure:
Binance plans to hold on-chain governance votes to decide whether or not to set up a bug bounty programme that will pay $1 million to people who report "significant" bugs, set up a bug bounty programme to offer a 10% bounty for finding the hacker and returning the funds, freeze the stolen funds, and use BNB auto-burn to recover the remaining stolen funds. Coin burning is a method used by cryptocurrency businesses to permanently remove a specific amount of coins from circulation.
In order to "combat and resist future prospective assaults," the business claims it would establish a new on-chain governance system on the BNB Chain. It will also reportedly boost the number of community validators. The governance mechanism is used by blockchain projects, especially decentralised ones, to share voting authority among its users.
In order to address cross-chain vulnerabilities, Binance said it will share the lessons learned from the event and put security measures in place.