On Oct 7, 2022, the cross-chain bridge which powers the Binance Coin (BNB) ecosystem was hacked. BNB Chain paused Binance Smart Chain (BSC) after determining a vulnerability had been exploited, as confirmed by Changpeng Zhao (CZ), CEO of Binance. All 44 validators were asked to temporarily suspend BSC in order to contain the damage.
The Attacker illegally issued 2m BNB, worth approximately $566m, on Oct 6, 2022 from the address of BSC: Token Hub through two transactions of 1m BNB each. With quick actions taken by various parties, only ~$137m managed to be moved out to the other chains, while the rest were frozen in BSC.
How Did It Happen?
On Oct 5, 2022, a day before the attack, a ChangeNOW wallet sent 100 BNB to the Attacker, which was then used to register as a Relayer for BSC Token Hub.
BSC Token Hub acts as a vault, facilitating cross-chain transactions between BNB Beacon Chain (BEP2) and Binance Smart Chain (BEP20). When an Externally Owned Account (EoA) or smart contract calls the BSC: Cross-Chain Bridge, the Relayers are responsible for submitting Cross-Chain Communication Packages between the two blockchains.
By registering as a Relayer for BSC Cross-Chain Bridge, the Attacker’s relaying requests could be accepted by BSC, allowing the Attacker to exploit a bug through the way BSC Token Hub verifies proofs.
After registering as a Relayer, the Attacker forged arbitrary messages on block height 110217401 (while the legitimate withdrawals’ block heights were much higher). This enabled the creation and subsequent withdrawal of the 2m BNB in two transactions:
- At 6:26 PM UTC, the Attacker succeeded in delivering a 1m BNB package to its own address.
- Between 8:32 PM and 8:42 PM UTC, the Attacker continued to make 15 failed attempts to deliver similar packages to its own address (the transactions failed with an error log of 'sequence not in order').
- Finally at 8:43 PM UTC, the Attacker succeeded in delivering the last 1m BNB package to its own address.
What Was Lost and What Is The Current Situation?
In previous hacks, perpetrators directly off-ramped the amount to a centralized exchange or a mixer service such as Tornado Cash once successful. However, in this case, the Attacker utilized Venus, a popular lending protocol on BNB Chain, and put down 900k BNB as collateral to borrow various stablecoins, such as USDT, USDC and BUSD.
It was done in five transactions:
- At 6:30 PM UTC, 4 minutes after the first hack, the first lending transaction of 600k BNB happened, resulting in 27.5m vBNB tokens worth over $250m.
- Within 2 minutes of supplying the collateral, two borrowing transactions were made, the first amounting to 62.4m BUSD.
- Second borrowing transaction of 50m USDT.
- At 6:36 PM UTC, the second lending transaction of 300k BNB occurred, resulting in 13.7m vBNB (~$129m).
- Following this, the final borrowing of nearly 35m USDC was made.
These stablecoins were then routed to multiple EVM-compatible chains using bridges such as Stargate Finance and Multichain, in incremental amounts of $400k-5m USD each. As of Oct 7, 2022, the following total amounts were bridged to various chains:
In each chain, the Attacker utilized various liquidity providers and lending protocols such as Curve Finance, Uniswap and Geist. The actions ranged from providing collateral to borrow certain tokens, swapping between stablecoins and conducting cross-asset swaps from stablecoins to Ethereum. Below are the detailed list of platforms that the Attacker interacted with and the total volume in USD and in Tokens:
After the Attacker managed to bridge, swap, transfer and provide collateral in these chains, the news spread on Twitter. Following this, three hours after the hack, BSC announced that the chain would be halted due to “irregular activity”. This prevented the Attacker from moving more funds onto other chains. Currently, the balances in the Attacker’s wallet are as follows:
Using Nansen Portfolio, one would be able to follow the interactions made by the Attacker and verify the respective balances on multiple chains.
Furthermore, based on our-chain data and analysis, the following addresses are notable and/or connected to the Attacker:
ChangeNOW issued a statement following the hack, confirming that the exchange was used by the Attacker to send the initial funds needed to be registered as a BSC Cross-Chain Bridge Relayer. The address was assessed by its AML system for any suspicious or malicious activity prior to using its service, and as the system didn’t find any red flag in the address, the funds were sent to the recipient address successfully.
As an experienced hacker, the Attacker used new, clean addresses, as can be seen in the table above with the usage of different “burner” addresses in multiple chains.
Using Nansen’s various features such as Portfolio, Wallet Profiler, Watchlist and Smart Alerts, you will be able to monitor the movement of funds in these addresses too. Sign up for free today.
Flowchart of the Hack
Below are the detailed flowcharts of transactions conducted from and to the Attacker’s address for clarity:
At the time of writing this report, BNB Chain had released an official exploit response and is compiling a thorough post-mortem report. They also proposed on-chain governance votes for the following:
- Whether to freeze the hacked funds;
- Whether to use BNB Auto-Burn to cover the remaining hacked funds;
- Whitehat program to find bugs in the smart contracts, $1m rewards for each significant bug found;
- Bounty reward program for catching hackers, up to 10% of the recovered funds.
A temporary urgent patch was announced by the developers of BNB Chain on Oct 12, 2022 called Moran Hardfork, intended to reinstate the cross-chain infrastructure. The changes occured at block height 22,107,423 on the Mainnet, which includes IAVL hash check vulnerability fix, sequential block header check in BSC: Cross-Chain Bridge and relayer would be whitelisted to genesis candidates.
Once the points of vulnerability from this attack could be properly determined, BNB Chain also planned to introduce a new on-chain governance mechanism that will fight and defend against future attacks.
The BNB Cross-Chain Bridge attack extended the list of bridge attacks in the past two years and was executed with careful planning and expertise in the field.
Based on our on-chain analysis, the Attacker was familiar with how cross-chain relayers work and managed to exploit a bug in the code. They also did not immediately off-ramp the funds to exchanges due to the risk of exposure, but utilized a sophisticated range of DeFi products within a short time to move the funds, to avoid detection instead.
Despite the swift response from BSC validators to halt the chain and minimize damage, over $100m had been moved to other chains, swapped into various assets and transferred to different burner addresses. The post-mortem report from the BNB Chain team might offer deeper insights into the technicality of the attack.