Hackers steal at least $100 million from Binance-linked blockchain

The world’s largest cryptocurrency exchange Binance lost at least $100 million in a hack on Thursday, the company disclosed Thursday.

According to ’Binance CEO Changpeng Zhao, hackers exploited a vulnerability in BSC Token Hub, a bridge that facilitates the transfer of assets between two Binance blockchains — BNB Beacon Chain and BNB Smart Chain. 

The exploit in BSC Token Hub allowed hackers to mint 2 million Binance digital tokensworth approximately $570 million. In an interview with CNBC, Zhao said that no users lost their money as hackers were trying to siphon off just those extra tokens.

The value of BNB dropped by almost 4% on Friday, to $283 per coin, according to CoinMarketCap. 

An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.

— CZ Binance (@cz_binance) October 6, 2022

Initially, the hackers tried to withdraw all $570 million from Binance, but the company temporarily shut down the vulnerable network to fix the bug, leaving the cybercriminals with nearly $118 million in stolen funds, which they’ve already moved to other networks.

An estimated $7 million has been frozen, so the actual hack amount is around $100 million to $110 million, according to Binance.

The cross-chain bridge hacks are common in the crypto world, according to Zhao. These blockchain-based open-source smart contracts help users to move between networks, but they have also become an attractive tool for cybercriminals to launder money. 

Nearly $2 billion worth of cryptocurrency had been stolen in 13 cross-chain bridge attacks, mostly in 2022, according to the blockchain research company Chainalysis. A cross-chain bridge platform called RenBridge has been used to launder at least $540 million in cryptocurrency over the last three years, while in March, hackers stole $600 million from a bridge behind the crypto-based video game Axie Infinity. 

These attacks are a blow to the whole digital assets industry, which suffers from declining crypto prices and a sharp drop in market value — from more than $3 trillion last year to less than $1 trillion now.

Any attempt to hack crypto platforms undermines trust in decentralized finance, which relies on algorithms and lacks regulation. “Software code is never bug-free,” Zhao said.

In response to the attack, Binance suspended transactions and fund transfers on BNB Smart Chain for approximately eight hours, but restarted it Friday morning. 

Early on Friday, Binance wrote on Reddit that the issue is contained and users’ funds are safe. 

How it happened

Hackers used the bug in the proof verifier of the bridge, meaning that they convinced the system that they had valid claims to the funds, according to cybersecurity firm Hacken. 

“Simply telling, he [the hacker] said to the bridge “I transferred 1 million BNB to you on the Beacon Chain, so you must give me 1 million BNB on Binance Smart Chain (BEP20),” Hacken wrote on Twitter.

Other researchers, including from Rekt and Paradigm, came to the same conclusion. 

Rather than sending freshly-minted BNB directly into the wallets, hackers deposited 900,000 BNB to the lending platform Venus Protocol, according to Hacken. 

Then hackers raced to move stolen funds to other chains, including Fantom, Avalanche, and Arbitrum before Binance suspended the network. The suspension “allowed saving the network and ecosystem from collapse, as the bridge had billions of dollars on the balance,” according to Hacken.

4.

He successfully transferred:

≈ $57M to Fantom

≈ $53M to Ethereum

≈ $4M to Arbitrum

≈ $3M to Avalanche

≈ $1M to Optimism

≈ $400k to Polygon

Making it roughly $118M withdrawn from from Binance Smart Chain

— Hacken (@hackenclub) October 7, 2022

What’s next

Binance said that its community will hold a vote on what to do with the hacked funds. Participants will also decide on a bounty for catching hackers and identifying future bugs. The company plans to pay $1 million for each significant bug found.

Binance will share the details of the hack and “all lessons on how to implement more advanced security measures” after the investigation. It will also introduce a new on-chain governance mechanism on the BNB Chain to fight and defend against future possible attacks.

“We need to learn how to make code more secure,” Zhao told CNBC. “In a blockchain world, one bug can result in very large losses.”

As of publication time, the company did not respond to an inquiry from The Record.