DeFi Protocol Ankr Suffers Infinity Minting Exploit – Here’s What Happened
Decentralized finance (DeFi) infrastructure provider Ankr has been exploited to the tune of over $5 million due to a bug that allowed for unlimited minting of its token.
In a tweet today, the team said that their aBNBc token had been exploited. They also asked exchanges to halt trading and asked liquidity providers to remove liquidity from decentralized exchanges (DEXs).
The team did not provide specific details of the exploit, but crypto security firm PeckShield said they found out that the project’s smart contract had an unlimited minting bug. This allowed the attacker to mint six quadrillion aBNBc tokens, tanking the token price as the supply hit the market.
Our analysis shows the $aBNBc token contract has an unlimited mint bug. Specifically, while mint() is protected with onlyMinter modifier, there is another function (w/ 0x3b3a5522 func. signature) that completely bypasses the caller verification to have arbitrary mint !!! https://t.co/h51e7xpcVf pic.twitter.com/caRgasNNHq
— PeckShield Inc. (@peckshield) December 2, 2022
After minting quadrillions of aBNBc token, the attacker used the decentralized exchange PancakeSwap to swap them for BNB before moving them to crypto mixer Tornado Cash. The attacker then swapped the BNB tokens for 5 million USDC.
Since the hacker has almost drained the aBNBc liquidity pools on PancakeSwap and ApeSwap, the token has plunged by more than 99%. As of now, aBNBc token is trading at $1.52, down by 99.5% over the past day. The coin recorded an all-time high of over $380 in May this year.
Crypto security firm Lookonchain also reported that one opportunistic trader managed to turn 10 BNB ($2,885) into 15.5 million BUSD by using the BNB to buy aBNBc and used them as collateral against a 15.5 million BUSD loan on DeFi lending protocol Helio, which did not have up-to-date pricing on aBNBc post-crash.
The team is already looking for ways to reimburse affected users.
We are currently drafting a plan and we are committed to compensating affected users.
— Ankr (@ankr) December 2, 2022
Binance CEO CZ also confirmed the hack, adding that the exchange froze about $3 million worth of crypto assets that the hacker had deposited.
Possible hacks on Ankr and Hay. Initial analysis is developer private key was hacked, and the hacker updated the smart contract to a more malicious one. Binance paused withdrawals a few hrs ago. Also froze about $3m that hackers move to our CEX.
— CZ 🔶 Binance (@cz_binance) December 2, 2022
Ankr is a cross-chain infrastructure with a DeFi platform that enables staking and dApp development. It hosts various protocols related to the development of dApps and the DeFi sector.
Notably, hacks and exploits continue to be rampant in crypto. As reported, Binance announced the suspension of deposits and withdrawals from its BNB chain in early October after it identified an unauthorized transfer of BNB coins. The hacker or hackers used a bug to withdraw BNB 2 million, worth around $568 million at the time.