Transactions on the Binance blockchain, also known as BNB Chain and Binance Smart Chain, were halted today after a potential exploit in the network was detected through a spike in “irregular activity.”
The initial announcement was posted to Twitter by BNB Chain at 9:19 pm EDT, saying there would be a temporary pause on the BSC network. By 9:35 pm EDT, however, the network pause turned into a halt.
“All systems are now contained, and we are immediately investigating the potential vulnerability,” the group tweeted. “We know the Community will assist and help freeze any transfers.”
According to blockchain security firm SlowMist, the exploit allowed cybercriminals to get away with over $570 million in digital assets, including Ethereum, Polygon, BNB Chain, Avalanche, Fantom, Arbitrum, and Optimism.
“The attacker is spewing funds across liquidity pools and utilizing every bridge they can to get to safer chains,” blockchain developer @0xfoobar tweeted, adding that there was “complete chaos on the chain.”
This hack had the potential to be “either the first or second biggest hack of all time,” @0xfoobar told Decrypt via direct message, though the real impact will be significantly less given the mitigation efforts undertaken by the community.
The ultimate total value involved in the hack has yet to be determined, and currently varies based on how to account for the value of frozen versus transferred tokens.
BNB Chain assured the community that “all funds are safe.” The BNB tokens were not pre-existing tokens stolen from wallets, but instead wholly created by the attacker.
According to Sam Sun, a researcher at Paradigm, the hacker somehow convinced the Binance Bridge to send out 1 million BNB tokens. When it worked, the hacker used the same exploit to have another 1 million BNB tokens sent to an address they controlled.
By 10:20 pm EDT, BNB Chain said that $7 million in assets had been frozen before it could be transferred but acknowledged that between $70 million and $80 million were stolen from the Binance Smart Chain.
Initial estimates for funds taken off BSC are between $70M – $80M.
However, thanks to the community and our internal and external security partners, an estimated $7M has already been frozen
— BNB Chain (@BNBCHAIN) October 6, 2022
The group acknowledged the efforts of the Binance community and security personnel, and separately thanked a number of node providers “for their quick and decisive actions.”
Binance CEO Changpeng Zhao later posted an update pointed to a thread on Reddit where the company provided more technical details, and saying that “the current impact estimate is around $100m USD equivalent.”
“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB,” Zhao explained.
This hack is similar to the recent Ronin and Harmony Cross-Chain Horizon Bridge exploits, @0xfoobar tells Decrypt. “Ronin was a private key exploit, [Harmony Bridge] was broken cryptography—the exact methodology differs a bit, but same general principles of broken cryptographic verification.”
“Broken proof verification lets hackers forge arbitrary messages,” he explained.