Ankr, a decentralized finance protocol that is based on BNB Chain, has suffered a major hack due to a bug in its code that allowed the attacker to reportedly mint nearly 20 trillion Ankr Reward Bearing Staked BNB (aBNBc) tokens.
2022 has witnessed a flood of massive crypto exploits with billions of dollars lost. Although the crypto market has been a subject to several hacks, the decentralized finance (DeFi) market has been especially vulnerable to them. According to blockchain analytics company Chainalysis, investors have lost over $3 billion to hackers across 125 hacks in 2022 so far. A mammoth $718 million has been stolen from DeFi protocols across 11 different hacks in October alone.
A Grim Day for Ankr
Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.
— Ankr (@ankr) December 2, 2022
On November 2, Ankr took to Twitter to confirm the attack specifying that they’re working with several exchanges to immediately halt trading of the compromised token. The platform also stated that all underlying assets on Ankr Staking were safe and all infrastructure services were unaffected.
It seems the perpetrator managed to mint over 20 trillion worth of wrapped BNB tokens (aBNBc) and swapped them for BNB by moving the fund to Tornado Cash. The attacker then swapped the BNB tokens for the whopping $5 million USDC. For the uninitiated, aBNBc is a reward-bearing token for BNB available on the Ankr protocol.
How did the Attack Happen?
Our analysis shows the $aBNBc token contract has an unlimited mint bug. Specifically, while mint() is protected with onlyMinter modifier, there is another function (w/ 0x3b3a5522 func. signature) that completely bypasses the caller verification to have arbitrary mint !!! https://t.co/h51e7xpcVf pic.twitter.com/caRgasNNHq
— PeckShield Inc. (@peckshield) December 2, 2022
According to security research firm PeckShield, the code behind the Ankr contract allows any user to mint an unlimited amount of the protocol’s reward-bearing staking tokens without any sort of verification.
This allowed the attacker to mint the colossal amount of the aBNBc token. Meanwhile, as per on-chain analysis firm Lookonchain, the exploiter has also used services such as Uniswap and various bridges to swap apart from tornado cash to obfuscate the funds.
@ankr has been exploited. $aBNBc has dropped -99.5%.
The hacker minted tons of $aBNBc and made a profit of 5,500 BNB (~$1.6 million)
The deployer changed the implementation contract to the vulnerable contract address before the attack (possibly due to private key compromise). pic.twitter.com/GJheXh0oDp
— Beosin Alert (@BeosinAlert) December 2, 2022
Meanwhile, blockchain security firm Beosin suggested the exploit was likely the result of vulnerabilities in the smart contract code combined with compromised private keys. It noted that the episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours.
Deployer key compromised or inside job, it deployed an attack contract, changed the upgradeable aBNBc contract to the malicious implementation, then called the 0x3b3a5522 function to mint 10,000,000,000 tokens to his wallet. pic.twitter.com/qz1xK94ePQ
— BowTiedPickle.eth | Solidity Shipper (@BowTiedPickle) December 2, 2022
BowTiedPickle, a smart contract developer, suggested that the incident was either an inside job or resulted from Ankr’s deployer key becoming compromised.
Crypto exchange giant, Binance, also confirmed its team is engaged with relevant parties to investigate the matter further, adding that Binance’s user funds are not at risk.
This is not an attack against #Binance, and your funds are SAFU on our exchange. This thread will be updated should there be any updates.
— Binance (@binance) December 2, 2022