BNB Chain-based decentralized finance (DeFi) protocol Ankr has confirmed it has been hit by a multi-million dollar exploit on Dec. 1.
The attack appeared to be first discovered by on-chain security analyst PeckShield at approximately 12:35 am UTC on Dec. 2.
Within an hour of the attack, Ankr confirmed on Twitter that the aBNB token has been exploited and that it’s working with exchanges to immediately halt trading of the compromised token.
Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.— Ankr (@ankr) December 2, 2022
The attacker was purportedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), a reward-bearing token for BNB (BNB) staked on the protocol.
According to a Twitter post from on-chain analysis firm Lookonchain, the exploiter has since used services such as Uniswap, Tornado Cash, and various bridges to swap and obfuscate the funds in order to gain around $5 million worth of USD Coin (USDC).
It also added in a following post that “all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”
Seems that @ankr got hacked an hour ago!— Lookonchain (@lookonchain) December 2, 2022
The exploiter minted 20T aBNBc and dumped it on #PancakeSwap.
At present, the exploiter have successfully exchanged more than 5 million $USDC.https://t.co/hF1tgNYw0t pic.twitter.com/XIPjBi6wvs
In comments to Cointelegraph about the attack, blockchain security firm Beosin suggested the exploit was likely the result of vulnerabilities in the smart contract code combined with compromised private keys, which may have come from a technical upgrade by the Ankr team about 12 hours ago.
Beosin also noted that the mass minting episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap.
@ankr has been exploited. $aBNBc has dropped -99.5%.— Beosin Alert (@BeosinAlert) December 2, 2022
The hacker minted tons of $aBNBc and made a profit of 5,500 BNB (~$1.6 million)
The deployer changed the implementation contract to the vulnerable contract address before the attack (possibly due to private key compromise). pic.twitter.com/GJheXh0oDp
“It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” a Beosin spokesperson told Cointelegraph.
In a Dec. 2 Twitter post, crypto exchange Binance confirmed its team is engaged with relevant parties to investigate the matter further, adding that Binance’s user funds are not at risk. The BNB Chain Twitter page also stated that the exploiter’s wallet address has been blacklisted.
We are aware of the attack on @ankr's aBNBc that happened earlier today, leading to a substantial amount of new aBNBc being minted. The exploiter has been blacklisted.— BNB Chain (@BNBCHAIN) December 2, 2022
Our community is on top of it, coordinating a response. We will provide more updates as they become available.
Cointelegraph contacted Ankr when the exploit was first discovered but did not receive an immediate response.
Update 4:30am UTC Dec. 2: Added in an official statement from Ankr comments from Beosin.
Update 5:30am UTC Dec. 2: Added a statement from Binance’s BNB Chain Twitter account.