Binance CEO Changpeng Zhao revealed on Dec. 2 that the exchange froze around $3 million of the funds from Ankr’s hack.
Possible hacks on Ankr and Hay. Initial analysis is developer private key was hacked, and the hacker updated the smart contract to a more malicious one. Binance paused withdrawals a few hrs ago. Also froze about $3m that hackers move to our CEX.
— CZ 🔶 Binance (@cz_binance) December 2, 2022
Hacker exploits Ankr Protocol’s code
A hacker exploited a bug in Ankr Protocol’s code to mint six quadrillions of aBNBc token and converted part into $5 million USDC.
Blockchain security firm Peckshield said its analysis of the aBNBc token contract showed that it has an unlimited mint bug that allows for the arbitrary mint of the tokens.
Our analysis shows the $aBNBc token contract has an unlimited mint bug. Specifically, while mint() is protected with onlyMinter modifier, there is another function (w/ 0x3b3a5522 func. signature) that completely bypasses the caller verification to have arbitrary mint !!! https://t.co/h51e7xpcVf pic.twitter.com/caRgasNNHq
— PeckShield Inc. (@peckshield) December 2, 2022
Another blockchain security company, Beosin, tweeted that the attack was likely due to a private key compromise because the deployer changed the implementation contract address before the attack. The attacker then called the mintApprovedTo function, which allowed anyone to mint tokens.
@ankr has been exploited. $aBNBc has dropped -99.5%.
The hacker minted tons of $aBNBc and made a profit of 5,500 BNB (~$1.6 million)
The deployer changed the implementation contract to the vulnerable contract address before the attack (possibly due to private key compromise). pic.twitter.com/GJheXh0oDp
— Beosin Alert (@BeosinAlert) December 2, 2022
According to CoinMarketCap, aBNBc is a reward-bearing token whose value grows as its redemption ratio grows.
Attacker nets $5 million
Lookonchain tweeted that the exploiter minted 20 trillion tokens and dumped it on Pancakeswap.
Seems that @ankr got hacked an hour ago!
The exploiter minted 20T aBNBc and dumped it on #PancakeSwap.
— Lookonchain (@lookonchain) December 2, 2022
PeckShield said the exploiter bridged the stolen funds to Ethereum via celer and deBridgeGate and also transferred some of these funds through Tornado Cash. The firm added that the exploiter moved 900 BNB ($253,000) to Tornado Cash and bridged 3000 ETH and $500,000 USDC to Ethereum.
Ankr confirms exploit
Ankr confirmed on Dec. 2 that its aBNB token was exploited.
Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.
— Ankr (@ankr) December 2, 2022
According to the decentralized web3 infrastructure provider, it is in touch with exchanges to stop trading. The firm added, “all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”
It also urged all liquidity providers to remove their liquidity from DEXs, adding that the tokens would be reissued soon.
Crypto traders profit
A crypto trader capitalized on this hack and used 10 BNB to make $15 million in profit, according to PeckShield.
#PeckShieldAlert 0x8d11F…217 is capitalising off the $aBNBc exploit,
10 $BNB -> 183,384.92 $aBNBc->$hBNB and staked them into Helio Protocol to lend ~$16M BHAY0 & exchanged them into $HAY
Profit: ~$15Mhttps://t.co/YLwhIENcL7$HAY has dropped -61% https://t.co/EKPrYojuHY pic.twitter.com/txTKY042sd
— PeckShieldAlert (@PeckShieldAlert) December 2, 2022
Wu Blockchain reported that the trader converted the 10 BNB for 183,384.92 aBNBc. He then exchanged his aBNBc holding to hBNB and staked it on Helio protocol to lend $16 million BHAYO, which was then exchanged into HAY.
The trade caused the HAY Stablecoin to depeg. As of press time, the stablecoin has lost 33% of its value and is trading for $0.69.
Meanwhile, the Helio Protocol team said it was aware of the exploit and would provide more information soon.
Our team is aware of the exploit. We will update the community as soon as we get more information.
— Helio Protocol ($HAY) 🔶 (@Helio_Money) December 2, 2022
Separately, Lookonchain reported that a trader who shorted the Ankr’s protocol native token made a 53.25% return.
aBNBc, ANKR, BNB price falls
CryptoSlate data shows that the hack has negatively impacted the price of ANKR and BNB.
According to the data, ANKR fell by 4% in the last 24 hours to $0.02155, while BNB is down 3% to $289 as of press time.
Meanwhile, CoinMarketCap data showed that aBNBc plunged by 99.51% to $1.51 as of press time.