Dissecting The BNB Chain Hack — As It Happened
The third largest bridge hack has occurred on the BNB Chain, with $568 million worth of funds being stolen by the hacker.
Here’s what happened, and some of the lessons learnt from this hack:
How did the hack happen?
The root cause of the hack was Binance’s BSC Token Hub, a cross-chain bridge that facilitates transfers between 2 separate networks on the BNB Chain: BEP2 (BNB Beacon Chain) and BEP20 (BNB Smart Chain).
This allowed users to deposit tokens they had on one chain, and they will receive these tokens on the other chain.
The hacker managed to convince the Token Hub that he had deposited 2 million BNB tokens, and this allowed him to receive 2 million BNB tokens (on BSC) without depositing anything!
What happened next?
After receiving these BNB tokens, the hacker tried to move these funds across other blockchain networks.
Since BNB is not as interoperable as other assets, the hacker deposited 900 BNB into Venus Protocol as collateral, and borrowed stablecoins like BUSD, USDT and USDC.
Afterwards, the hacker used a cross-chain bridge to move these assets to other EVM-compatible networks, including:
- Ethereum
- Fantom
- Avalanche
- Polygon
- Arbitrum
- Optimism
In fact, you can view the hacker’s entire portfolio on our platform:
At this point, all 44 validators on the BNB Chain were contacted to stop operations and the chain was eventually halted.
This essentially froze all of the hacker’s remaining assets (around 1.1 million BNB) on the BNB Chain, which helped to reduce the damage of the hack.
Furthermore, the hacker’s address, ‘0x489a8756c18c0b8b24ec2a2b9ff3d4d447f79bec’, was blacklisted by Tether, which froze a significant amount of USDT that the hacker was holding.
A blacklist by Tether would mean that the hacker is unable to transfer out any USDT he has in his wallet.
As a result, the hacker only managed to get away with $110 million.
The aftermath
During the chaos, BNB Chain issued a new upgrade for all validators, primarily aimed at freezing the hacker’s funds.
Within a few hours, the BNB Chain was back online, and they provided an update on the next steps they will be taking:
An on-chain governance vote would be held, where the community will help in deciding these 4 proposals:
- To freeze or unfreeze the hacked funds
- To use BNB Auto-Burn to cover the remaining hacked funds
- To create a Whitehat program for future bugs discovered, with a bounty of $1M for each significant bug
- To create a bounty for catching hackers, with rewards of up to 10% of the recovered funds
Lessons learnt from the hack
Here are some key takeaways we can gather from this latest crypto hack:
#1 Cross-Chain bridges are a major vulnerability
Vitalik Buterin, founder of Ethereum, previously mentioned that cross-chain applications have significant security risks.
The basis of how a bridge works is that:
- You deposit a token on Chain A and it gets locked up in a smart contract
- You receive the same token but on Chain B, which is free to be used
As a result, bridges have a lot of assets that are locked up, which is why they are the prime target for hackers.
Before the BNB Chain hack, almost $1.4 billion has been stolen from cross-chain bridges in 2022 alone!
Moreover, there are many components to a cross-chain bridge which are usually managed by different stakeholders.
So long as one component is exploited, the entire bridge can be hacked!
To ensure that cross-chain bridges are not hacked in the future, BlockSec suggested active monitoring of every bridge transaction to ensure that they are valid.
After this event, we can only hope that the security of the bridge is prioritised to ensure the safety of our funds!
#2 The BNB Chain may not be truly decentralised
There have been many Layer 1s that claim to be the next ‘Ethereum killer’, and the BNB Chain is one such competitor.
While it has faster speeds and lower transaction fees compared to Ethereum, it can be argued that it is not sufficiently decentralised.
There are only a total of 26 active validators on the BNB Chain, and you can view them here.
This pales in comparison to the number of validators on the Ethereum network, where there are more than 440k of them!
While the BNB Chain was able to be halted rather quickly, this also shows that there is still a central entity that controls the blockchain.
CZ, the founder of Binance, argues that decentralisation should not be absolute, and there should be a gradient (or degree) of decentralisation.
In the blog post above, CZ mentioned that having a small initial team is beneficial, even though it is more centralised. This is because it allows faster decision-making and a higher degree of efficiency.
Patrick Hillman, the chief communications officer at Binance, was also quoted as saying “Because those 26 validators are able to work with one another so quickly, they’re able to prevent that worse case scenario from happening.”.
There definitely are both pros and cons in the BNB Chain’s approach to developing a blockchain network, and it still remains to be seen what is the most effective way moving forward.
Final Thoughts
With yet another major crypto hack happening, we can only hope that developers are paying attention and prioritising the security of their decentralised applications (DApps)!
🔍 Navigate the DeFi Space NOW with Krystal!
Start your journey NOW on Desktop, iOS or Android
📱 Social Media
- Follow us on Telegram:
Announcements | Krystal Global | Krystal Vietnam 🇻🇳| Krystal Korea 🇰🇷 | Krystal Turkey 🇹🇷 | Krystal Africa 🌍 | Krystal Indonesia 🇮🇩 | Krystal India 🇮🇳 | Krystal Bangladesh 🇧🇩 - YouTube
