On Thursday, The Binance Chain, which is the second largest smart contract with $5.45 billion Total Value Locked (TVL), accounting for approximately 9.90% of the total TVL in the cryptocurrency space, and home to 481 protocols according to Defi Llama, was hacked for two million BNB, its native cryptocurrency, worth approximately $556 million at the time of the incident.
However, the attacker only managed to bridge a fraction of the loot to other chains before validators halted the network, blocking access to the $430 million remaining in the hacker’s BNB chain address. The smart contract platform has since been reactivated. This means only approximately $110 million was actually stolen.
Data from the DeBank, a portfolio tracker, reveals that the hacker had access to approximately $110 million in various cryptocurrencies across Ethereum, Avalanche, and Fantom networks, as well as L2s Arbitrum and Optimism. However, of this, an estimated $6.5 million in USDT has been frozen by Tether, the stablecoin’s issuer.
How it Happened
In order to pull off the heist, the hacker sent falsified transactions which convinced the bridge’s code they had previously deposited two million BNB to the bridge, and that they were eligible to withdraw it again. The two withdrawals of one million BNB each were made just over two hours apart, minting the funds directly into the attacker’s address.
Anonymous blockchain security researcher samczsun shared a more detailed explanation of the hack on Twitter, pointing out that the attacker could have taken even more if they had wanted to. He explained;
“An attacker stole 2 million BNB from the Binance Bridge. During that time, I’ve been working closely with multiple parties to triage and resolve this issue. Here’s how it all went down. It all started when @zachxbt sent me the attacker’s address out of the blue. When I clicked on it, I saw an account worth hundreds of millions of dollars. Either someone had pulled off a huge rug, or there was a massive hack underway.
“At first, I thought that @VenusProtocol had been hacked yet again. However, it only took a couple of seconds to determine that the attacker *really did* deposit over $200M USD into Venus Instead, I needed to figure out where those funds came from.
“The answer was that the attacker had somehow convinced the Binance Bridge to simply send them 1,000,000 BNB. Twice. Either Binance was finally running the biggest giveaway that Web3 had ever seen, or the attacker had found a critical bug. I started by comparing the attacker’s transactions with legitimate withdrawals. The first thing I noticed was that the height used by the attacker was always the same – 110217401. The heights used by legitimate withdrawals were much bigger, such as 270822321.
“I also noticed that the attacker’s proof was significantly shorter than the legitimate withdrawal’s proof. These two facts led me to believe that the attacker had found a way to forge proof for that specific block – 110217401. Now I had to figure out how these proofs worked. On Binance, there’s a special precompile contract used to verify IAVL trees. If you don’t know anything about IAVL trees, don’t worry. I still don’t understand about 95% of it. Fortunately, all you and I need to reproduce the hack is the remaining 5%.
“Ok, so basically, when you verify an IAVL tree, you specify a list of “operations”. The Binance Bridge typically expects two of them: an “iavl:v” operation, and a “multistore” operation. In order to forge a proof, we need both operations to succeed, and we need to last operation (the multistore) to return a fixed value (the hash of the specified block: 110217401). Looking at the implementation, we can convince ourselves with some effort that it’s impossible, or at least very difficult, to manipulate the root hash. Or you can just take my word for it. This means that we need our input value to be equal to one of the commit IDs.
“The input value of the “multistore” operation is the output value of the “iavl:v” operation. This means that we want to somehow control the root variable here, while still passing the value verification. So how is the root hash computed? Well, it happens in this monster of a function called COMPUTEHASH. At a very very high level, it recursively goes over each path and leaf and does a bunch of hashing and really the implementation details don’t matter. What does matter is that due to the way that hash functions are intended to work, we can basically say with certainty that any (path, nleaf) pair will produce a unique hash. If we want to forge proof, those will need to stay the same.
“Looking at the way that the proof is laid out in a legitimate transaction, we see it has a very long path, no inner nodes, and only one leaf node. This leaf node contains the hash of our malicious payload! If we can’t modify this leaf node, then we’ll need to add a new one. Of course, if we add a new leaf node, we’ll also need to add a new inner node to match. Now we just have one last obstacle to face. How do we actually get COMPUTEHASH to return the root hash we want? Well, notice that eventually, we’ll need a path to contain a non-zero right hash. When we find one that does, we assert it matches the intermediate root hash.
“All that’s left is to put it all together. We’ll take a legitimate proof and modify it so that: 1, we add a new leaf for our forged payload, 2, we add a blank inner node to satisfy the prover, and 3, we tweak our leaf to exit early with the correct root hash.”
The researcher concluded by stating, “in summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse.”
How Binance Chain Reacted
- In the first instance, the BNB Chain was paused after the official Twitter account of the BNB Chain first made the announcement by stating it was due to “irregular activity” on the blockchain but soon after added that it was due to a possible exploit. Binance provided an update that the blockchain was “under maintenance,” suspending all deposits and withdrawals.
- On the same day, CZ, the founder of the Binance exchange, took to Twitter to state, “An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly. BSC Token Hub is the bridge between BNB Beacon Chain (BEP2) and BNB Chain (BEP20 or BSC). The current impact estimate is around $100m USD equivalent, about a quarter of the last BNB burn.”
- 24 hours after, the Binance Chain resumed operations according to an update from the network. The blockchain reported that network validators are “confirming their status,” as well as upgrading community infrastructure. It stated, “BNB Smart Chain (BSC) is running ok from 20+ mins ago. The validators are confirming their status and the community infrastructure is upgrading as well.”
- CZ went on Twitter to praise the actions of the BNB Chain team by stating, “I was impressed by the quick actions the @BNBChain team took. I am not that involved in the technical side of the BNB Chain. Far less than Vitalik with ETH. The principles of issue handling are simple & important: fast, transparent & responsible.”
Conclusion
The latest BNB Chain exploit and the subsequent steps taken by Binance may have controlled the damage, but the community faces the same dilemma surrounding decentralization once again. Bartek Kiepuszewski, MakerDAO’s blockchain architect, expressed a similar sentiment in his tweet regarding the same. He stated, “do we want a simple bridge but with trusted validators that can censor, freeze or seize funds or do we want trustless but significantly more complicated infrastructure?”
I love this app