Transactions on the Binance blockchain, also known as BNB Chain and Binance Smart Chain, were halted today after a potential exploit in the network was detected through a spike in "irregular activity."
The initial announcement was posted to Twitter by BNB Chain at 9:19 pm EDT, saying there would be a temporary pause on the BSC network. By 9:35 pm EDT, however, the network pause turned into a halt.
"All systems are now contained, and we are immediately investigating the potential vulnerability,” the group tweeted. “We know the Community will assist and help freeze any transfers."
Binance CEO Changpeng Zhao took to Twitter today to announce that the crypto exchange had managed to freeze a hefty portion of stolen funds from Curve Finance.
“Binance froze/recovered (sic) $450k of the Curve stolen funds, representing 83%+ of the hack,” tweeted Zhao. “We are working with [law enforcement] to return the funds to the users. The hacker kept on sending the funds to Binance in different ways, thinking we can't catch it.”
Curve Finance, a popular decentralized exchange, suffered a...
According to blockchain security firm SlowMist, the exploit allowed cybercriminals to get away with over $570 million in digital assets, including Ethereum, Polygon, BNB Chain, Avalanche, Fantom, Arbitrum, and Optimism.
"The attacker is spewing funds across liquidity pools and utilizing every bridge they can to get to safer chains," blockchain developer @0xfoobar tweeted, adding that there was "complete chaos on the chain."
This hack had the potential to be "either the first or second biggest hack of all time," @0xfoobar told Decrypt via direct message, though the real impact will be significantly less given the mitigation efforts undertaken by the community.
The ultimate total value involved in the hack has yet to be determined, and currently varies based on how to account for the value of frozen versus transferred tokens.
BNB Chain assured the community that "all funds are safe." The BNB tokens were not pre-existing tokens stolen from wallets, but instead wholly created by the attacker.
According to Sam Sun, a researcher at Paradigm, the hacker somehow convinced the Binance Bridge to send out 1 million BNB tokens. When it worked, the hacker used the same exploit to have another 1 million BNB tokens sent to an address they controlled.
By 10:20 pm EDT, BNB Chain said that $7 million in assets had been frozen before it could be transferred but acknowledged that between $70 million and $80 million were stolen from the Binance Smart Chain.
The group acknowledged the efforts of the Binance community and security personnel, and separately thanked a number of node providers "for their quick and decisive actions."
A blockchain security researcher and whitehat hacker, known as samczsun, today published a detailed “post mortem” of an undercover operation that resulted in the rescue of 25,000 ETH, worth over $9.6 million at the time. The funds were saved from a vulnerable Ethereum smart contract.
How do you rescue 10 million dollars from a vulnerable smart contract without letting attackers know it’s there? Last Tuesday, @epheph, @sparkpool_eth, @tzhen, @wadealexc, and I found out.https://t.co/WOjO651VIw
—...
Binance CEO Changpeng Zhao later posted an update pointed to a thread on Reddit where the company provided more technical details, and saying that “the current impact estimate is around $100m USD equivalent."
"An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB," Zhao explained.
This hack is similar to the recent Ronin and Harmony Cross-Chain Horizon Bridge exploits, @0xfoobar tells Decrypt. "Ronin was a private key exploit, [Harmony Bridge] was broken cryptography—the exact methodology differs a bit, but same general principles of broken cryptographic verification."
"Broken proof verification lets hackers forge arbitrary messages," he explained.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
