BNB Chain Back Online Following $568 Million Exploit
BNB Chain, the native blockchain behind the Binance crypto exchange, has come back online after being suspended due to an exploit that drained around $600 million in crypto assets.
On October 6, Binance announced the suspension of deposits and withdrawals from its BNB chain after it identified that a hacker transferred approximately 2 million BNB tokens, worth around $590 million, to a now-blacklisted wallet.
In a Reddit post, the Binance team said an exploit of the cross-chain bridge BSC Token Hub resulted in extra BNB, adding that they asked validators to temporarily suspend BNB Smart Chain (BSC).
“The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly. The Community has already played a pivotal role in assisting and helping freeze any transfers. All funds are safe”.
Shortly after the suspension, the blockchain reported that network validators are back online and now “confirming their status,” as well as upgrading community infrastructure.
In a post-mortem, the BNB Chain team explained that they had to contact community validators one by one in order to halt the chain and stop the incident from spreading. “It was not that easy as BNB Smart Chain has 26 active validators at present and 44 in total in different time zones,” the team said.
Binance CEO Changpeng Zhao, commonly known as “CZ”, also Tweeted about the incident, saying they asked validators to temporarily suspend BSC in order to contain the issue. He noted that the impact was minimal, about a quarter of the last BNB burn.
“By definition, the immutability that distributed ledger technologies rely on puts heavy demands of integrity and resilience on blockchain code. Designing safer primitives that limit the risk of and reduce the opportunity for attackers to take all is necessary for the industry to succeed, as is writing solid, durable, high-quality code,” Jessy Irwin, Director of Security at Agoric, a JavaScript-native smart contract platform, said in a comment to CryptoNews.com, adding:
“Security is not a binary state, and it requires continuous investment and incremental improvements in processes for developing code, operating protocols and networks, and managing the novel risks that these promising technologies bring to the table.”
Irwin added that choosing a reliable, trustworthy audit firm requires a significant amount of research and lead time. Furthermore, it is important to research the work a prospective firm has done in the past by reviewing their reports and following the contributions of their team to the wider body of research in the field.
Damage Could Have Been “Far Worse”
The BNB team said that the exploit was through “a sophisticated forging of the low-level proof into one common library.” Anonymous blockchain security researcher samczsun detailed that the hacker used a message verification vulnerability found in the Binance bridge to send 2 million BNB into Venus protocol.
“There was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages,” they said, adding that the exploiter only forged two messages, but the “damage could have been far worse.”
In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse
— samczsun (@samczsun) October 7, 2022
Meanwhile, some users have argued that the fact that the BNB Chain was able to freeze funds so immediately indicated a high level of centralization that exists throughout the chain.
Nevertheless, Binance’s native token, BNB, took a slight hit following the hack. The token dropped from around $300 to less than $280 in less than an hour following the hack. BNB is currently trading around $275, largely flat over the past 24 hours.
