BNB Chain’s Cross-Chain Bridge Exploit Explained

BNB Chain’s Cross-Chain Bridge Exploit Explained

Nansen's research team dives into the BNB Chain's Cross-Chain Bridge exploit and traces the attackers activity.

Table of Contents

Text Link

What Happened?

On Oct 7, 2022, the cross-chain bridge which powers the Binance Coin (BNB) ecosystem was hacked. BNB Chain paused Binance Smart Chain (BSC) after determining a vulnerability had been exploited, as confirmed by Changpeng Zhao (CZ), CEO of Binance. All 44 validators were asked to temporarily suspend BSC in order to contain the damage. 

The Attacker illegally issued 2m BNB, worth approximately $566m, on Oct 6, 2022 from the address of BSC: Token Hub through two transactions of 1m BNB each. With quick actions taken by various parties, only ~$137m managed to be moved out to the other chains, while the rest were frozen in BSC.

How Did It Happen?

On Oct 5, 2022, a day before the attack, a ChangeNOW wallet sent 100 BNB to the Attacker, which was then used to register as a Relayer for BSC Token Hub. 

BSC Token Hub acts as a vault, facilitating cross-chain transactions between BNB Beacon Chain (BEP2) and Binance Smart Chain (BEP20). When an Externally Owned Account (EoA) or smart contract calls the BSC: Cross-Chain Bridge, the Relayers are responsible for submitting Cross-Chain Communication Packages between the two blockchains.

By registering as a Relayer for BSC Cross-Chain Bridge, the Attacker’s relaying requests could be accepted by BSC, allowing the Attacker to exploit a bug through the way BSC Token Hub verifies proofs.
After registering as a Relayer, the Attacker forged arbitrary messages on block height 110217401 (while the legitimate withdrawals’ block heights were much higher). This enabled the creation and subsequent withdrawal of the 2m BNB in two transactions:

  1. At 6:26 PM UTC, the Attacker succeeded in delivering a 1m BNB package to its own address.
  2. Between 8:32 PM and 8:42 PM UTC, the Attacker continued to make 15 failed attempts to deliver similar packages to its own address (the transactions failed with an error log of 'sequence not in order').
  3. Finally at 8:43 PM UTC, the Attacker succeeded in delivering the last 1m BNB package to its own address.

What Was Lost and What Is The Current Situation?

In previous hacks, perpetrators directly off-ramped the amount to a centralized exchange or a mixer service such as Tornado Cash once successful. However, in this case, the Attacker utilized Venus, a popular lending protocol on BNB Chain, and put down 900k BNB as collateral to borrow various stablecoins, such as USDT, USDC and BUSD.

It was done in five transactions:

  1. At 6:30 PM UTC, 4 minutes after the first hack, the first lending transaction of 600k BNB happened, resulting in 27.5m vBNB tokens worth over $250m.
  2. Within 2 minutes of supplying the collateral, two borrowing transactions were made, the first amounting to 62.4m BUSD.
  3. Second borrowing transaction of 50m USDT.
  4. At 6:36 PM UTC, the second lending transaction of 300k BNB occurred, resulting in 13.7m vBNB (~$129m).
  5. Following this, the final borrowing of nearly 35m USDC was made.

These stablecoins were then routed to multiple EVM-compatible chains using bridges such as Stargate Finance and Multichain, in incremental amounts of $400k-5m USD each. As of Oct 7, 2022, the following total amounts were bridged to various chains:

Source : Nansen, as at Oct 10, 2022

In each chain, the Attacker utilized various liquidity providers and lending protocols such as Curve Finance, Uniswap and Geist. The actions ranged from providing collateral to borrow certain tokens, swapping between stablecoins and conducting cross-asset swaps from stablecoins to Ethereum. Below are the detailed list of platforms that the Attacker interacted with and the total volume in USD and in Tokens:

Source : Nansen
Source : Nansen, as at Oct 10, 2022

After the Attacker managed to bridge, swap, transfer and provide collateral in these chains, the news spread on Twitter. Following this, three hours after the hack, BSC announced that the chain would be halted due to “irregular activity”. This prevented the Attacker from moving more funds onto other chains. Currently, the balances in the Attacker’s wallet are as follows:

Source : Nansen, as at Oct 10, 2022

Using Nansen Portfolio, one would be able to follow the interactions made by the Attacker and verify the respective balances on multiple chains.

Source: Nansen Portfolio

Furthermore, based on our-chain data and analysis, the following addresses are notable and/or connected to the Attacker:

Source: Nansen Query

ChangeNOW issued a statement following the hack, confirming that the exchange was used by the Attacker to send the initial funds needed to be registered as a BSC Cross-Chain Bridge Relayer. The address was assessed by its AML system for any suspicious or malicious activity prior to using its service, and as the system didn’t find any red flag in the address, the funds were sent to the recipient address successfully.

As an experienced hacker, the Attacker used new, clean addresses, as can be seen in the table above with the usage of different “burner” addresses in multiple chains. 

Using Nansen’s various features such as Portfolio, Wallet Profiler, Watchlist and Smart Alerts, you will be able to monitor the movement of funds in these addresses too. Sign up for free today.

Flowchart of the Hack

Below are the detailed flowcharts of transactions conducted from and to the Attacker’s address for clarity:

What’s Next?

At the time of writing this report, BNB Chain had released an official exploit response and is compiling a thorough post-mortem report. They also proposed on-chain governance votes for the following:

  1. Whether to freeze the hacked funds;
  2. Whether to use BNB Auto-Burn to cover the remaining hacked funds;
  3. Whitehat program to find bugs in the smart contracts, $1m rewards for each significant bug found;
  4. Bounty reward program for catching hackers, up to 10% of the recovered funds.

A temporary urgent patch was announced by the developers of BNB Chain on Oct 12, 2022 called Moran Hardfork, intended to reinstate the cross-chain infrastructure. The changes occured at block height 22,107,423 on the Mainnet, which includes IAVL hash check vulnerability fix, sequential block header check in BSC: Cross-Chain Bridge and relayer would be whitelisted to genesis candidates.

Once the points of vulnerability from this attack could be properly determined, BNB Chain also planned to introduce a new on-chain governance mechanism that will fight and defend against future attacks. 

Conclusion

The BNB Cross-Chain Bridge attack extended the list of bridge attacks in the past two years and was executed with careful planning and expertise in the field.

Based on our on-chain analysis, the Attacker was familiar with how cross-chain relayers work and managed to exploit a bug in the code. They also did not immediately off-ramp the funds to exchanges due to the risk of exposure, but utilized a sophisticated range of DeFi products within a short time to move the funds, to avoid detection instead.

Despite the swift response from BSC validators to halt the chain and minimize damage, over $100m had been moved to other chains, swapped into various assets and transferred to different burner addresses. The post-mortem report from the BNB Chain team might offer deeper insights into the technicality of the attack.

Interested in doing your own on-chain investigations? Sign up today!

Disclaimer

The authors of this content and members of Nansen may be participating or invested in some of the protocols or tokens mentioned herein. The foregoing statement acts as a disclosure of potential conflicts of interest and is not a recommendation to purchase or invest in any token or participate in any protocol. Nansen does not recommend any particular course of action in relation to any token or protocol. The content herein is meant purely for educational and informational purposes only and should not be relied upon as financial, investment, legal, tax or any other professional or other advice. None of the content and information herein is presented to induce or to attempt to induce any reader or other person to buy, sell or hold any token or participate in any protocol or enter into, or offer to enter into, any agreement for or with a view to buying or selling any token or participating in any protocol. Statements made herein (including statements of opinion, if any) are wholly generic and not tailored to take into account the personal needs and unique circumstances of any reader or any other person. Readers are strongly urged to exercise caution and have regard to their own personal needs and circumstances before making any decision to buy or sell any token or participate in any protocol. Observations and views expressed herein may be changed by Nansen at any time without notice. Nansen accepts no liability whatsoever for any losses or liabilities arising from the use of or reliance on any of this content.

Join 100,000+ Investors Getting Their Trading Edge From Nansen