Trading on the Binance blockchain, also known as BNB Chain and Binance Smart Chain, was halted today after a potential exploit in the network was detected via a spike in “irregular activity”.
The initial announcement was posted to Twitter by BNB Chain at 9:19 p.m. EDT, indicating that there would be a temporary hiatus on the BSC network. At 9:35 p.m. EDT, however, the network’s hiatus turned into a shutdown.
“All systems are now in containment and we are immediately investigating the potential vulnerability,” the group said. tweeted. “We know the Community will help and help freeze all transfers.”
According to blockchain security firm SlowMist, the exploit allowed cybercriminals to get away with more than $570 million in digital assets, including Ethereum, Polygon, BNB Chain, Avalanche, Fantom, Arbitrum, and Optimism.
“The attacker spews funds through liquidity pools and uses all possible bridges to access safer chains,” said a blockchain developer. @0xfoobar tweeted, adding that there was “complete chaos on the channel”.
This hack had the potential to be “the first or second biggest hack of all time”, said @0xfoobar Decrypt by direct message, although the actual impact will be much less given the mitigation efforts undertaken by the community.
The ultimate total value involved in the hack has yet to be determined and currently varies depending on how to account for the value of frozen tokens versus transferred tokens.
BNB Chain assured the community that “all funds are safe”. The BNB tokens were not pre-existing tokens stolen from wallets, but rather created entirely by the attacker.
According to Paradigm researcher Sam Sun, the hacker somehow convinced the Binance bridge to send 1 million BNB tokens. When it worked, the hacker used the same exploit to send an additional 1 million BNB tokens to an address he controlled.
As of 10:20 p.m. EDT, BNB Chain said $7 million in assets had been frozen before they could be transferred, but acknowledged that between $70 million and $80 million had been stolen from Binance Smart Chain.
Initial estimates of funds withdrawn from BSC are between $70 million and $80 million.
However, thanks to the community and our internal and external security partners, approximately $7 million has already been frozen.
– BNB Chain (@BNBCHAIN) October 6, 2022
The group acknowledged the efforts of the Binance community and security personnel, and separately thanked a number of node providers “for their quick and decisive actions.”
Binance CEO Changpeng Zhao then posted an update pointing to a thread on Reddit where the company provided more technical details and said “the current estimate of impact is around US$100 million”.
“An exploit on a cross-chain bridge, BSC Token Hub, resulted in additional BNB,” Zhao explained.
This hack is similar to the recent Ronin and Harmony Inter-Range Skyline Bridge exploits, says @0xfoobar Decrypt. “Ronin was a private key exploit, [Harmony Bridge] was broken crypto – the exact methodology differs a bit, but the same general principles of broken crypto verification.”
“Checking for broken evidence allows hackers to forge arbitrary messages,” he explained.