Addressing Security of Asset Bridging on OKC
TLDR; A problematic code library that BSC had used was an outdated version (copied in May 2020) and was never updated ever since. While we are also using IAVL proofs as with all the Cosmos-based networks, we update regularly to prevent such incidents from taking place on OKC. Corresponding to Cosmos, our latest update is in April 2022.
In light of the BSC Token Hub exploitation incident, our team at OKC would like to assure our users and builders that our chain is secure, and has been regularly updated in correspondence to Cosmos. We would also like to answer some of the questions that may have arisen.
How did the exploitation on BSC Token Hub happen?
- Binance runs a two-chain architecture, BNB Beacon Chain (the former Binance Chain, BC) and BNB Chain (BSC), where BC is based on Cosmos and BSC is derived from Ethereum. Both chains use BNB as the native coin, and that’s why an internal bridge (BSC Token Hub) is needed.
- Since BC is Cosmos based, it incorporates a binary tree data structure called IAVL, which is used to store the chain states, as widely adopted by the Cosmos ecosystems.
- For every cross-chain transaction from BC to BSC, the EVM-compatible BSC must verify the IAVL proof generated by BC, with a library forked from Cosmos SDK.
- The problem is, the library was outdated (May 2020) and never upgraded ever since forking, so a bug was exploited that the BSC’s light client didn’t have to verify the IAVL proof, resulting in 2M BNB being minted by the bridge and released on BSC.
- At the point of writing, Binance has since contained the situation and released an ecosystem update.
Why wasn’t OKC impacted by such exploitation?
- OKC is a single-chain network based on Cosmos SDK, yet 100% EVM-compatible, meaning that there’s no bridge to compromise.
- OKC believes in decentralization. Like other Cosmos networks, OKC is fully open source, with DPoS validator decentralization; all functionalities and modules, including IAVL proof, have been updated constantly.
- When it comes to cross-chain transfers, OKC always prioritizes security and reliability. OKC Bridge is backed by OKX exchange with no smart contract interactions, while IBC Transfer offers the most decentralized, reliable, and fastest cross-chain experience within the Cosmos Ecosystem.
Multi-chain is the future. And that hinges on the safety and reliability of all connected chains. We empathize with the affected parties of this exploitation and would like to remind everyone the importance of regular updates for the security of any platforms.
OKC (OKX Chain) is an EVM-compatible L1 built on Cosmos with a focus on true interoperability (IBC) and maximized performance. At high scalability, developers can build and scale with low gas fees. The OKC ecosystem and infrastructure, including the all-in-one multi-chain Web3 interface, enables a seamless experience for both developers and users.
How to find us?
Website | Twitter |LinkedIn| Discord| Telegram |DevCommunity |Submit Your Project