Binance, the world’s largest cryptocurrency exchange, confirmed on Thursday that hackers made off with at least $100 million, but the figure could have been significantly more.
The Binance blockchain, also known as BNB Chain and Binance Smart Chain, took the rare step of suspending transactions and money transfers after discovering a vulnerability affecting the BSC Token Hub’s cross-chain bridge. These bridges are designed to facilitate the transfer of assets from one independent blockchain to another.
The vulnerability in the BSC Token Hub bridge allowed the attacker to spoof messages, allowing them to mint new BNB tokens. Since the stolen tokens were not pre-existing tokens taken from wallets, no user funds were affected.
In a blog post on Friday, the BNB Chain team said a total of 2 million BNB – worth about $568 million – had been withdrawn initially by the hacker. But blockchain security company SlowMist says the attacker only managed to steal about $110 million because the majority of the stolen tokens, worth about $430 million, could not be transferred after the BNB Chain’s suspension.
Binance CEO Changpeng Zhao said in a tweet that the company estimates the impact of the breach at $100 million to $110 million.
“The problem is now under control. Your money is safe. We apologize for the inconvenience and will provide further updates accordingly,” Zhao said.
When approached for comment, Binance spokesman Ismael Garcia declined to comment posted off the blog by the BNB Chain team, who say the BNB Chain is now operational again. The blog post adds that a new on-chain governance mechanism will be introduced on the BNB Chain to combat and defend future potential attacks.
“The bug itself lies in how Binance Bridge processes the proofs of transactions that send the money from one chain to another,” Adrian Hetman, tech lead of the Triaging Team at Immunefi, a web3 provider of bug bounty programs, told me. to londonbusinessblog.com. “The logic checks the message proof, something a user submits, and proceeds with the payout if the proof is valid.”
“The hacker managed to forge such a message that it misled the logic of the contract into thinking that the message was indeed valid, even though the hacker had no valid claims to the money. BSC Token Hub then proceeded with the payout as everything was valid,” said Hetman.
Cross-chain bridge hacks have become a common occurrence in the past year. In June, a hacker exploited a vulnerability to steal $100 million from Harmony’s Horizon Bridge, and in August attackers drained $190 million worth of crypto from the Nomad cross-chain bridge. According to blockchain data firm Chainalysis, about $2 billion worth of cryptocurrency has been stolen in cross-chain bridge hacks so far this year.
Earlier this year, hackers stole $625 million after the attack on Axie Infinity’s Ronin Bridge in March.