Ankr, a web3 infrastructure project on BNB Chain, was exploited with an attacker minting and dumping millions worth of its wrapped BNB token, aBNBc (Ankr Reward Bearing Stake BNB).
A bug in Ankr’s decentralized finance infrastructure allowed hackers to mint unlimited tokens, resulting in over $5 million being stolen. On-chain analysts discovered the attack on social media, and Ankr confirmed that this incident occurred on Dec. 1st.
On Friday, the Web3 infrastructure provider admitted on Twitter that its aBNBc token had been exploited and announced it’s working with exchanges to suspend trading. A follow-up tweet also insisted that all underlying assets on Ankr Staking are safe and infrastructure services unaffected.
Ankr suffers from a DeFi hack
Ankr Protocol, a Defi node-as-a-service provider, admitted that $5 million worth of Binance’s native token, BNB, was stolen from liquidity pools. The team at Ankr is currently assessing the damage and working to resolve the issue.
Blockchain security firm Peckshield Inc. analyzed the exploit and discovered that the aBNBc token contract has an unlimited mint bug. More specifically, while minting, another function (with 0x3b3a5522 function signature) completely bypasses caller verification, allowing for arbitrary minting, something the attacker exploited to secretly transfer stolen funds to mixer Tornado Cash. The Firm reported that the attacker had managed to gain access to the Ankr deployer key.
According to the on-chain analysis firm, Lookonchain, the 20 trillion aBNBc (Ankr Reward Bearing Stake BNB) minted by the exploiter had been dumped onto PancakeSwap.
The firm said that the funds had already been exchanged for more than $5 million worth of USD across Uniswap, Tornado Cash, and several others. Since
the price of Ankr’s reward-bearing staked BNB (aBNBc) has collapsed from over $300 to just $1.50, according to CoinMarketCap.
The DeFi protocol stated that all assets on its staking program are safe and the exploitation would not affect any infrastructure services.
Binance helps Ankr & Freezes $3 Million
The CEO of Binance, Changpeng Zhao (CZ), tweeted on Twitter to warn about a possible exploit on Ankr Protocol. According to CZ, the exploit was made possible after a hacker accessed the developer’s private key and used it to update the smart contract to a more malicious version. To prevent any further damage, Binance has paused withdrawals and frozen approximately $3 million that hackers had moved to their Centralized Exchange (CEX).
As a result of an exploit confirmed by the Helio Protocol team, the BNB Chain-based stablecoin “Hay” lost its $1 peg and went to $0.22. The token is currently trading at around $0.95.
Ankr to Reimburse its Affected Users
Ankr plans to reimburse the users who were financially impacted by the $5 million exploit that took place on their platform.
“We will take a snapshot and reissue ankrBNB to all valid aBNBc holders before the exploit. The ankrBNB token will continue to be redeemable, while aBNBc and aBNBb will no longer be redeemable,” Ankr said in a tweet after the exploit.
Crypto hacks are increasing
Over the years, Crypto has unfortunately seen its share of hacks and exploits.
In October, Binance announced the suspension of deposits and withdrawals from its BNB chain after identifying an unauthorized transfer of 2 million BNB tokens, worth around $568 million at that time.
Again, In October, the Mango Markets DeFi platform incurred over $100 million loss due to a hack. The hacker cooperated with Mango Market and made away with $47 million(as a bug bounty reward).
Hacks and exploits have been commonplace in the crypto market, especially regarding DeFi protocols. If DeFi providers and exchanges want to reduce the damage done by hackers, they need to get better at identifying hacker behavior and responding accordingly. Also, traders need to be aware of both the risks involved with online trading and how they can avoid becoming victims themselves.
The role of Aegis, if it were used
We’ve established that on-chain activity indicated Ankr’s contract upgrades — they were done multiple times. In the beginning, it was not sure if it was the team or the hacker that did those upgrades with a stolen private key.
The important thing to stress is that Aegis tracks contract upgrades — it could have notified the team that their contract was being updated. The team then could have changed the admin account to the non-compromised private key and could’ve reverted the upgrade.
In short, Aegis would have been able to prevent this incident if it had been applied by Ankr.
About Lossless
Restoring trust in web3 security. Lossless incorporates a new layer of blockchain transaction security, protecting projects and their communities from malicious exploits and associated financial loss.
Lossless protocol implements an additional layer of blockchain transaction security for ERC-20 standard tokens, mitigating the financial impact of smart contract exploits and private key theft. Lossless protocol utilizes community-driven threat identification tools and a unique stake-based reporting system to identify suspicious transactions, providing real-time protection.
Twitter | Platform | Telegram | Discord | Website | Documentation | Github
