DeFi Protocol Ankr Suffers Multi Million Dollar Exploit

Ankr, a decentralized finance protocol that is based on BNB Chain, has suffered a major hack due to a bug in its code that allowed the attacker to reportedly mint nearly 20 trillion Ankr Reward Bearing Staked BNB (aBNBc) tokens.

2022 has witnessed a flood of massive crypto exploits with billions of dollars lost. Although the crypto market has been a subject to several hacks, the decentralized finance (DeFi) market has been especially vulnerable to them. According to blockchain analytics company Chainalysis, investors have lost over $3 billion to hackers across 125 hacks in 2022 so far. A mammoth $718 million has been stolen from DeFi protocols across 11 different hacks in October alone.

A Grim Day for Ankr

On November 2, Ankr took to Twitter to confirm the attack specifying that they’re working with several exchanges to immediately halt trading of the compromised token. The platform also stated that all underlying assets on Ankr Staking were safe and all infrastructure services were unaffected.

It seems the perpetrator managed to mint over 20 trillion worth of wrapped BNB tokens (aBNBc) and swapped them for BNB by moving the fund to Tornado Cash. The attacker then swapped the BNB tokens for the whopping $5 million USDC. For the uninitiated, aBNBc is a reward-bearing token for BNB available on the Ankr protocol.

How did the Attack Happen?

According to security research firm PeckShield, the code behind the Ankr contract allows any user to mint an unlimited amount of the protocol’s reward-bearing staking tokens without any sort of verification.

This allowed the attacker to mint the colossal amount of the aBNBc token. Meanwhile, as per on-chain analysis firm Lookonchain, the exploiter has also used services such as Uniswap and various bridges to swap apart from tornado cash to obfuscate the funds.

Meanwhile, blockchain security firm Beosin suggested the exploit was likely the result of vulnerabilities in the smart contract code combined with compromised private keys. It noted that the episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours.

BowTiedPickle, a smart contract developer, suggested that the incident was either an inside job or resulted from Ankr’s deployer key becoming compromised.

Crypto exchange giant, Binance, also confirmed its team is engaged with relevant parties to investigate the matter further, adding that Binance’s user funds are not at risk.