BNB Chain resumes operations after hacker drains at least $100m

Binance’s BNB Smart Chain was paused on October 6 due to “irregular activity” that was suspected to be an exploit on its cross-chain bridge, BSC Token Hub.

Rumors had earlier swirled on Twitter that the blockchain has been exploited, as on-chain sleuths detected an unusual transaction of $718 million on the BNB Chain. The attacker was initially speculated to be a “gigawhale,” possibly even Binance itself, but it became obvious that some illegal activity was taking place after Tether blacklisted the suspect address.

The hacker’s wallet was funded through the BNB bridge for one million BNB (around $290 million at the time of the attack). The funds were then sent to the lending protocol Venus, where the attacker borrowed $150 million in USDC/USDT/BUSD stablecoins against BNB collateral and started siphoning funds to other chains, namely Ethereum, Polygon, Avalanche, and Fantom. Shortly after, the hacker drained another one million BNB and moved it through Stargate Protocol, another cross-chain bridge.

According to blockchain security researchers, the hacker took advantage of a security bug to forge "security proofs" that allowed them to mint two million BNB out of thin air. These proofs are used to verify moving funds from the older Binance Chain (now renamed as Binance Beacon Chain) to the newer Binance Smart Chain through the bridge.

In response to the exploit, the BNB Chain team requested community validators to halt the network, contacting them one by one. As per the blog update, it wasn’t an easy rescue since the blockchain has in total 44 validators in different time zones, of which 26 were active at the time of the attack. “This delayed closure, but we were able to minimize the loss,” the team acknowledged, saying that they owe a “debt of gratitude” to the community’s swift response.

Thanks to the coordinated effort, roughly over $400 million worth of BNB tokens were frozen in the hacker’s address on BNB Chain. Additionally, an unspecified portion of funds got stuck in cross-chain bridges on the BNB blockchain side. It is estimated that the attacker was able to get away with $100 million to $110 million from an initial exploit of nearly $600 million.

Some security researchers labeled hacker’s skills as “poor,” pointing out that the perpetrator only managed to walk away with less than 20 percent of the initial sum.

Luckily, user funds remained unaffected, as the attacker opted to create new BNB tokens instead of stealing already minted ones. The BNB Chain team promised to share the details of the postmortem and further expand the number of community validators.

According to the official announcement, BNB Chain will conduct the on-chain voting to determine the fate of the frozen funds “in the next few days.” Furthermore, the community also gets to vote on the proposal to establish a whitehat program that pays up to $1 million for every bug found and a plan to allocate 10% of the recovered funds as a bounty for catching the hacker.