Binance Resumes Operations After Major Cross-Chain Breach

The BNB smart chain is back online after the team put activities on hold due to a recent hack on its cross-chain bridge. An official update from the network noted that validators were verifying their status and also upgrading community infrastructure. In a tweet, Binance founder Changpeng Zhao placed the losses from the exploit at an estimated $100M worth of assets. 

Binance Puts Operations On Hold

The network initially announced that they were halting operations late on Thursday due to some abnormal activity. They later revealed that the team had uncovered a potential breach and was looking into it. Blockchain security firm Peckshield also shared some on-chain data confirming the attack.

Binance is yet to drop a detailed post-mortem, however, they did share plans to do so in a recent release. The company briefly explained what occurred, saying the hacker targeted the native cross-chain bridge tagged the  “BSC Token Hub.” This is the bridge linking the BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC).

According to their update, the culprit withdrew a total of 2 million native BNB tokens, roughly 600M USD. They were able to do this through a “sophisticated forging of the low-level proof into one common library.” 

Ellipal - Store over 10,000 coins and tokens!

Further Details of the Hack

In a Twitter thread,  @samczsun, a researcher from crypto-focused investment firm Paradigm went into further detail about the exploit. According to his report, he first discovered the hack after receiving the hacker’s address from a fellow researcher. Looking into it, he noted that the account was suspiciously worth hundreds of millions of dollars and began an investigation. 

Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I've been working closely with multiple parties to triage and resolve this issue. Here's how it all went down. pic.twitter.com/E0885Dc3lW

— samczsun (@samczsun) October 6, 2022

The researcher stated that the hacker had somehow manipulated the Binance bridge into sending 1 million BNB tokens to their address twice. Sun then compared the transfers to legitimate transactions upon which he realized that the hacker used the same height both times. 

The first thing I noticed was that the height used by the attacker was always the same – 110217401. The heights used by legitimate withdrawals were much bigger, such as 270822321.” 

According to Sun, the attacker had somehow forged proof for a specific block, that is 110217401. Probing into how the proofs worked he noted that Binance employs a special precompile contract to confirm IAVL trees. To verify an IAVL tree, users typically specify a list of operations. The Binance Bridge usually expects two of the aforementioned operations. However, the perpetrator discovered a vulnerability in how the Binance Bridge verified proofs and was able to falsify a random message. 

The Team’s Response

In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse,” Sun noted. 

Bnb

Binance Coin

$239,54
price

2.91717%
price change

TRADE NOW

The team’s swift response helped mitigate the damages.  First, the network devs halted the attack by disabling cross-chain interaction between the BNB Beacon Chain and the BNB Smart Chain. They then released a new node version calling for all node runners to update their versions. As stated earlier, the hacker withdrew $2M BNB tokens, however, given the team’s instant reaction they failed to cart off all the funds.

Initial estimates for funds taken off BSC are between $100M – $110M. However, thanks to the community and our internal and external security partners, an estimated $7M has already been frozen,” one dev stated.