Binance Bridge Forged Proof Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

BNB Chain Logo/Background

An attacker found a massive hole in the proof validation that Binance Smart Chain nodes were using to validate that payments had been made to their bridge. The attacker was able to extract $566m worth of BNB token. The nodes were shut down after $127m was taken off-chain, and the rest of the money was frozen.

This is a global/international case not involving a specific country.[1][2][3]

About Binance Bridge

[4][5]

Binance Bridge 2.0 acts as a bridge between the platform and tokens not listed on the exchange. This new feature allows users to use their wrapped tokens with the Binance Smart Chain (BNB). Users can access decentralized finance (DeFi), metaverse, and blockchain games without needing third-party wallets. The cross-chain bridge aims to revitalize the DeFi space by offering users the ability to stake their Ethereum (ETH) and its tokens on the BNB Smart Chain, reducing high fees and transaction completion times. Binance Bridge 2.0 supports various Ethereum-native tokens and provides access to BNB Smart Chain dApps[5].

The Reality

The Binance Bridge contained an exploit in the proof mechanism.

What Happened

A hacker exploited a bug in the Binance Smart Chain (BSC) Token Hub, a cross-chain bridge, minting around around $586 million worth of cryptocurrency, and successfully stealing at least $100 million[6].

Key Event Timeline - Binance Bridge Forged Proof Exploit
Date Event Description
March 29th, 2022 10:09:30 PM MDT Binance Bridge 2.0 Launching Watcher.guru reports on Binance launching Binance Bridge 2.0, which acts as a bridge between the platform and tokens not listed on the exchange. This new feature allows users to use their wrapped tokens with the Binance Smart Chain (BNB). Users can access decentralized finance (DeFi), metaverse, and blockchain games without needing third-party wallets. The cross-chain bridge aims to revitalize the DeFi space by offering users the ability to stake their Ethereum (ETH) and its tokens on the BNB Smart Chain, reducing high fees and transaction completion times. Binance Bridge 2.0 supports various Ethereum-native tokens and provides access to BNB Smart Chain dApps[5].
October 6th, 2022 5:29:00 PM MDT BNB Posts About Temporary Suspension BSCDev/Tech, in coordination with validators, announce on Reddit that they have temporarily suspended the BNB Smart Chain (BSC) in response to the discovery of an exploit involving the BSC Token Hub cross-chain bridge[7]. The exploit resulted in the creation of extra BNB, estimated to be between $100M - $110M, with $7M already frozen through community efforts. The community played a crucial role in freezing transfers, and the node service providers swiftly responded. The team expressed gratitude to various entities for their quick actions and assured users that their funds are safe. The issue has been contained, and further updates will be provided[7].
October 6th, 2022 5:35:00 PM MDT Samczson Post Samczsun starts posting a technical analysis[8][9][10].
October 6th, 2022 5:51:00 PM MDT Binance CZ Publishes Tweet Binance CEO Changpeng Zhao (CZ) acknowledges that an "exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB" and reports that "[t]he issue is contained now"[11]. He apologizes for the inconvenience and mentions an impact estimate of around $100 million USD, roughly a quarter of the last BNB burn. Further updates will be provided, and additional details can be found in the BNB Reddit post which is shared by CZ[11].
October 6th, 2022 6:30:50 PM MDT BleepingComputer Publishes Article BleepingComputer reports that hackers managed to steal 2 million Binance Coins (BNB), valued at approximately $566 million, from the Binance Bridge. The attack began with two transactions, each consisting of 1 million BNB, at 2:30 PM EST. The hacker then proceeded to spread the stolen funds across various liquidity pools and attempted to convert the BNB into other assets. Binance acknowledged the security incident and paused the BNB Smart Chain for investigation. The company's CEO confirmed that an exploit was used in the BSC Token Hub to transfer BNB to the attacker and requested all validators to suspend the Binance Smart Chain. Binance estimates that between $70 million to $80 million was moved off-chain, and $7 million of those assets have already been frozen with the help of partners in the cryptocurrency community[12].
October 7th, 2022 1:31:00 AM MDT BankInfoSecurity Article Published Rashmi Ramesh publishes a BankInfoSecurity article on the situation[13]. "@Binance paused its #smartcontract platform after a hacker exploited an internal verification vulnerability to steal #cryptocurrency from its cross-chain bridge. Binance has acknowledged a theft of at least $100m; @peckshield says hackers stole $586m"[6]
October 7th, 2022 1:54:23 AM MDT CNBC Article Published CNBC reports that hackers stole approximately $570 million worth of Binance's BNB token by exploiting a bug in a cross-chain bridge linked to BNB Chain, as revealed by the cryptocurrency exchange. In total, 2 million BNB tokens were drained from the network due to a vulnerability in the bridge's smart contract. While the company initially estimated the theft to be around $100-110 million, it later identified the larger amount. Binance suspended its blockchain network temporarily, cooperating with network validators to halt all transaction processing and investigate the breach. The value of BNB experienced a more than 3% drop following the hack. This is one of several major breaches targeting cross-chain bridges, highlighting the vulnerabilities in this technology, which have led to approximately $1.4 billion in losses in 2022[14].
October 7th, 2022 2:39:06 AM MDT BNB Chain Ecosystem Update The BNB Chain provided an update following a recent exploit that affected the native cross-chain bridge between BNB Beacon Chain and BNB Smart Chain, known as "BSC Token Hub." Approximately 2 million BNB was withdrawn in a sophisticated attack[15]. The team, with the help of security experts, projects, and validators, successfully minimized the loss and has taken steps to secure the remaining funds. The BNB Chain plans on-chain governance votes to decide on actions, including what to do with the hacked funds, whether to use BNB Auto-Burn to cover the remaining funds, a Whitehat program for future bugs, and a bounty for catching hackers. The incident highlights the need for enhanced security measures, and the BNB Chain will implement a new on-chain governance mechanism and continue to expand community validators for further decentralization. The team expresses gratitude to the community for their swift response and support[15].
October 7th, 2022 3:18:00 AM MDT Reuters Article Published A Reuters article reports that hackers have successfully stolen approximately $100 million worth of cryptocurrency from a blockchain associated with Binance, as announced by Binance CEO Changpeng Zhao in a tweet[16]. The targeted blockchain, known as BNB Chain and previously called Binance Smart Chain until February, fell victim to the theft through a blockchain "bridge." Blockchain bridges are tools facilitating the transfer of cryptocurrencies between various applications. BNB Chain confirmed the hack, estimating the loss to be between $100 million and $110 million in digital tokens. The blockchain temporarily suspended its activity before resuming, and the incident underscores the increasing targeting of blockchain bridges in the cryptocurrency sector by malicious actors.
October 7th, 2022 3:28:16 AM MDT Reddit Discussion Discussion on Reddit reports that Binance Coin (BNB) has been hit by a $568 million hack, apparently prompting the freezing of all trading on the Binance platform[17]. The stolen coins are reportedly forked out, rendering them worthless as they no longer fit the updated blockchain. Some users speculate that these hacks might be attempts to cash out tax-free. Tether has also frozen a suspicious wallet address holding a substantial amount of BNB, potentially linked to the incident. Community members raise concerns and highlight the need for enhanced security measures.
October 7th, 2022 4:30:47 AM MDT Reddit Discussion A Reddit community discussion revolves around the reported theft of around $100 million in cryptocurrency from a blockchain linked to Binance[18]. Users express concerns about the security of the crypto space and discuss the potential impact on the market. Some speculate on the nature of the hack, mentioning the possibility of North Korean involvement or pointing out the challenge of reversing such incidents. There's also discussion about the evolving nature of cryptocurrency security and the trade-offs between scalability, decentralization, and security. Additionally, the conversation touches on the use of bridges, privacy protocols, and the need for effective measures to prevent future hacks[18].
October 7th, 2022 8:46:31 AM MDT Investopedia Article Published Investopedia reports that hackers successfully exploited the BSC Token Hub, a cross-chain bridge connected to Binance, on October 6, resulting in the theft of $570 million worth of Binance Coins (BNB). The exploit created extra BNB tokens, affecting the Binance Smart Chain. Following the attack, Binance temporarily halted the Binance Smart Chain and managed to freeze $7 million in stolen funds through a software update. The price of BNB dropped 3.5% over the last 24 hours, trading at $281. Binance has resumed BSC operations and plans to introduce an on-chain governance mechanism to enhance security in response to such attacks. Cross-chain bridge hacks have been on the rise in the crypto industry, with $2 billion lost across 13 separate incidents in 2022[19].
October 7th, 2022 10:40:16 AM MDT New York Times Article Published The New York Times published an article on the Binance smart chain hack[20]. TBD review and more detail.
October 7th, 2022 12:20:00 PM MDT BSC Token Hub Operations Restored Binance has reportedly restored "restored operations on its BSC Token Hub smart contract"[21].
October 7th, 2022 3:02:00 PM MDT Reuters Article Updated The Reuters article is updated to report that a blockchain associated with Binance, the world's largest cryptocurrency exchange, has suffered a $570 million hack, as confirmed by a Binance spokesperson[22]. Tokens were stolen from a blockchain "bridge" in the BNB Chain, previously known as Binance Smart Chain. Blockchain bridges are tools facilitating cryptocurrency transfers between different applications and have become a frequent target for hackers. The attackers managed to steal approximately $100 million worth of crypto, specifically 2 million BNB tokens, before transferring funds to other cryptocurrencies like Tether and USD Coin. The majority of the stolen BNB remains in the hacker's wallet, with roughly $100 million "unrecovered." BNB Chain temporarily suspended its blockchain but resumed operations after several hours, implementing measures to prevent further incidents and planning to expand its validator network.
October 10th, 2022 10:49:00 AM MDT Analysis By Patrick Hillmann Patrick Hillmann, Chief Communications Officer at Binance, discussed the recent $100 million hack on BNB Chain in an interview. He highlighted that the hack could have been worse if the validators had not taken quick action. The hack targeted BSC Token Hub, a bridge on the BNB Chain, to mint additional BNB tokens. The attack was compared to thieves printing their own money. BNB validators reacted swiftly to lock down the chain, preventing most of the fraudulently minted BNB from leaving the ecosystem. This action prevented a potential $570 million hack. Hillmann emphasized that the ability of a smaller community of 26 validators to work together quickly was crucial in preventing the worst-case scenario. Validators will now hold on-chain governance votes to decide on freezing hacked funds and implementing a bug bounty reward system to prevent future hacks[23].
October 12th, 2022 4:41:44 PM MDT Decrypt Reports BNB Chain Upgrade Decrypt reports that following the recent hack of the Binance bridge, BNB Smart Chain has successfully deployed a network upgrade to address cross-chain issues. The upgrade, known as the "Moran hard fork," has resolved the problems stemming from the hack. This has allowed all relevant funds stuck in cross-chain transfers to reach their target wallets or be refunded to the source. While the upgrade had no impact on the trading of Binance Smart Chain tokens on the exchange, deposits and withdrawals of these tokens were temporarily paused. Developers plan to further enhance the network's cross-chain proof verification and implement additional security measures in the coming weeks[24].
October 12th, 2022 9:59:36 PM MDT Binance Smart Chain Hard Fork Successful According to a report by Forkast News, Binance has successfully completed a hard fork of its BNB Smart Chain (BSC) network in response to a hack that saw $100 million drained from the network in October. This upgrade, version 1.1.16, aims to address a software weakness exploited in the hack and has led to discussions within the BNB community about how to address the stolen funds. Some options include freezing the funds or using BNB's burn protocol to cover the losses. This incident has sparked a debate about decentralization on the BSC network. Cross-chain transactions on the network are now expected to operate as usual after experiencing delays due to the service outage[25].

Technical Details

The hacker exploited a flaw in the BSC's custom functionality related to a Merkelized IAVL tree, allowing them to trick the system into accepting fraudulent withdrawal requests for 1 million BNB each, totaling about $300 million per withdrawal[26]. Once in possession of the stolen BNB, the hacker transferred the tokens to other blockchains through various bridges, making it difficult for authorities to reverse or freeze the assets[26].

The attack began with two transactions, each consisting of 1 million BNB, at 2:30 PM EST. The hacker then proceeded to spread the stolen funds across various liquidity pools and attempted to convert the BNB into other assets.[12]

"there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse"

“The bug itself lies in how Binance Bridge processes the proofs of transactions sending the money from one chain to another,” Adrian Hetman, tech lead of the Triaging Team at Immunefi, a web3 bug bounty program provider, told TechCrunch. “The logic checks the message proof, something a user submits, and proceeds with the payout if the proof is valid.”

“The hacker managed to forge such a message that it tricked the logic of the contract into thinking the message was indeed valid, even though the hacker didn’t have valid claims to the funds. BSC Token Hub then proceeded with the payout as everything was valid,” said Hetman.

"an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge." "the attack appears to have started at 2:30 PM EST [on October 6th, 2022], with the attacker's wallet receiving two transactions [1, 2], each consisting of 1,000,000 BNB."

SlowMist Technical Analysis

[3] TBD

Samczsun Technical Analysis

Samczsun published a technical analysis of the exploit on Twitter[8][9][10].

Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I've been working closely with multiple parties to triage and resolve this issue. Here's how it all went down.

It all started when @zachxbt sent me the attacker's address out of the blue. When I clicked into it, I saw an account worth hundreds of millions of dollars. Either someone had pulled off a huge rug, or there was a massive hack underway

At first, I thought that @VenusProtocol had been hacked yet again. However, it only took a couple seconds to determine that the attacker *really did* deposit over $200M USD into Venus Instead, I needed to figure out where those funds came from

The answer was that the attacker had somehow convinced the Binance Bridge to simply send them 1,000,000 BNB. Twice.

Either Binance was finally running the biggest giveaway that Web3 had ever seen, or the attacker had found a critical bug

I started by comparing the attacker's transactions with legitimate withdrawals. The first thing I noticed was that the height used by the attacker was always the same - 110217401. The heights used by legitimate withdrawals were much bigger, such as 270822321

I also noticed that the attacker's proof was significantly shorter than the legitimate withdrawal's proof. These two facts led me to believe that the attacker had found a way to forge a proof for that specific block - 110217401. Now I had to figure out how these proofs worked

On Binance, there's a special precompile contract used to verify IAVL trees. If you don't know anything about IAVL trees, don't worry. I still don't understand about 95% of it. Fortunately, all you and I need to reproduce the hack is the remaining 5%

Ok, so basically, when you verify an IAVL tree, you specify a list of "operations". The Binance Bridge typically expects two of them: an "iavl:v" operation, and a "multistore" operation. Here are their implementations

In order to forge a proof, we need both operations to succeed, and we need to last operation (the multistore) to return a fixed value (the hash of the specified block: 110217401)

Looking at the implementation, we can convince ourselves with some effort that it's impossible, or at least very difficult, to manipulate the root hash. Or you can just take my word for it. This means that we need our input value to be equal to one of the commit IDs

The input value of the "multistore" operation is the output value of the "iavl:v" operation. This means that we want to somehow control the root variable here, while still passing the value verification

So how is the root hash computed? Well, it happens in this monster of a function called COMPUTEHASH. At a very very high level, it recursively goes over each path and leaf and does a bunch of hashing and really the implementation details don't matter

What does matter is that due to the way that hash functions are intended to work, we can basically say with certainty that any (path, nleaf) pair will produce a unique hash. If we want to forge a proof, those will need to stay the same

Looking at the way that the proof is laid out in a legitimate transaction, we see it has a very long path, no inner nodes, and only one leaf node. This leaf node contains the hash of our malicious payload! If we can't modify this leaf node, then we'll need to add a new one

Of course, if we add a new leaf node, we'll also need to add a new inner node to match

Now we just have one last obstacle to face. How do we actually get COMPUTEHASH to return the root hash we want? Well, notice that eventually we'll need a path to contain a non-zero right hash. When we find one that does, we assert it matches the intermediate root hash

Let's just instrument the code a bit so we can figure out what hash we need and....

All that's left is to put it all together. We'll take a legitimate proof and modify it so that: 1) we add a new leaf for our forged payload 2) we add a blank inner node to satisfy the prover 3) we tweak our leaf to exit early with the correct root hash

(It's worth noting that this wasn't the exact method the attacker used. Their proof path is much shorter, and I'm not sure how exactly they generated that. However, the rest of the exploit is identical, and I believe showing how to build it from the ground up is valuable)

In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse

Zellic Technical Analysis

Blockchain research platform Zellic later published a summary of the hack "explained in simple terms"[26].

The hacker convinced the Binance Bridge to send them 1,000,000 BNB two times. BSC was worth about 300,sothiswasabout600M. This was all done using an exploit. What’s currently believed is that this exploit essentially exploited a flaw in a custom functionality built into BSC. This functionality was a merkelized IAVL tree. This code actually lives in a library, but it is part of the BSC L1 (it’s a precompile).

This IAVL tree is responsible for enforcing/checking the validity of messages sent to the Binance bridge. For instance, under normal circumstances, the IAVL tree is supposed to reject a hacker’s message to fraudulently withdraw 1,000,000 BNB. However, the attacker found a flaw in the IAVL verification routine, which allows him to trick the IAVL tree into accepting arbitrary messages. Armed with the capability to have arbitrary messages they forge accepted, the hacker then submitted two fraudulent withdrawals.

The IAVL code seems to have been a part of Cosmos SDK. However, Cosmos (thankfully) doesn’t use IAVL for validation now. They use ICS23 which we currently believe is not affected.

The hacker likely knew that BSC would be halted/frozen after such a massive hack, so they knew they had to transfer as much value off of BSC as quickly as possible. The typical way one would transfer funds among different blockchains are bridges. So after hacking the Binance Bridge, the attacker then went to other bridges to try to convert his hacked BNB proceeds on BSC to other chains.

Total Amount Lost

Initial observations had the amount lost at least $100m[6].

Patrick Hillmann, Chief Communications Officer at Binance, discussed the recent $100 million hack on BNB Chain in an interview. He highlighted that the hack could have been worse if the validators had not taken quick action. The hack targeted BSC Token Hub, a bridge on the BNB Chain, to mint additional BNB tokens. The attack was compared to thieves printing their own money. BNB validators reacted swiftly to lock down the chain, preventing most of the fraudulently minted BNB from leaving the ecosystem. This action prevented a potential $570 million hack. Hillmann emphasized that the ability of a smaller community of 26 validators to work together quickly was crucial in preventing the worst-case scenario. Validators will now hold on-chain governance votes to decide on freezing hacked funds and implementing a bug bounty reward system to prevent future hacks[23].

The total amount lost has been estimated at $566,000,000 USD.

"an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge." "the attack appears to have started at 2:30 PM EST [on October 6th, 2022], with the attacker's wallet receiving two transactions [1, 2], each consisting of 1,000,000 BNB."

"there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse"

Immediate Reactions

Binance, the largest cryptocurrency exchange, suspended trading on the smart contract blockchain and requested validators to suspend BSC to address the issue[6]. Changpeng Zhao, CEO of Binance, assured users that their funds were safe and the issue was being resolved. The cybersecurity firm PeckShield stated that the attack exploited the internal verification logic of the smart contract blockchain, resulting in a "huge reward claim." Cross-chain bridges, which facilitate the transfer of crypto assets across blockchains, have been increasingly targeted by hackers, with $2 billion stolen in 2022[6].


Investopedia reports that hackers successfully exploited the BSC Token Hub, a cross-chain bridge connected to Binance, on October 6, resulting in the theft of $570 million worth of Binance Coins (BNB). The exploit created extra BNB tokens, affecting the Binance Smart Chain. Following the attack, Binance temporarily halted the Binance Smart Chain and managed to freeze $7 million in stolen funds through a software update. The price of BNB dropped 3.5% over the last 24 hours, trading at $281[19].

Pausing Of The Binance Bridge

"When hackers exploited a bug in the BSC Token Hub (a cross-chain bridge connecting the BNB Beacon Chain and BNB Chain) which allowed them to extract 2M BNB (~$570M), the entire chain was “paused” before the hacker could make off with his exploits. As a result, the hacker only managed to snag ~127M off chain."

"The Binance blockchain, also known as BNB Chain and Binance Smart Chain, took the rare step of suspending transactions and fund transfers after discovering a vulnerability affecting the BSC Token Hub cross-chain bridge. These bridges are designed to facilitate the transfer of assets from one independent blockchain to another."

"Simply put, Binance “asked” all its validators (real nicely) to temporarily suspend the chain."

"That’s easy for Binance to do because Binance is also a highly centralized chain with a total of 25 validators, all of whom were pre-approved by Binance themselves."

BNB Post On Reddit

[7]

Binance Acknowledgement of Incident

"Binance acknowledged the security incident at 6:19 PM EST and paused the BNB Smart Chain while they investigated the incident.

At 7:51 PM EST, the CEO of Binance tweeted that an exploit was used in the BSC Token Hub to transfer the BNB to the attacker and that they had asked all validators to suspend the Binance Smart Chain."[11]

An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.

BNB Chain Ecosystem Update

A blog post was shared within several hours[15].

First, we want to apologize to the community for the exploit that occurred. We own this.

Decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading. It was not that easy as BNB Smart Chain has 26 active validators at present and 44 in total in different time zones. This delayed closure, but we were able to minimize the loss.

A timeline of events and details will be shared with all parties following a thorough postmortem,

Ultimate Outcome

Binance shared an incident summary. A vote was held regarding what should be done with the frozen funds from teh exploit. The Binance Smart Chain was ultimately hard-forked in the Moran hard fork to resolve the vulnerability.

Binance has resumed BSC operations and plans to introduce an on-chain governance mechanism to enhance security in response to such attacks. Cross-chain bridge hacks have been on the rise in the crypto industry, with $2 billion lost across 13 separate incidents in 2022[19].

Binance Blog Post Incident Summary

"In a blog post on Friday, the BNB Chain team said that a total of 2 million BNB — worth approximately $568 million — were initially withdrawn by the hacker. But blockchain security company SlowMist says the attacker only managed to take about $110 million because the majority of the stolen tokens, worth about $430 million, couldn’t be transferred following the suspension of the BNB Chain."

"Binance chief executive Changpeng Zhao said in a tweet that the company estimates the impact of the breach to be between $100 million and $110 million."

"When approached for comment, Binance spokesperson Ismael Garcia declined to comment beyond the blog posted by the BNB Chain team, which says that the BNB Chain is now back up and running. The blog post adds that a new on-chain governance mechanism will be introduced on the BNB Chain to fight and defend against future possible attacks."

Hacked Funds Frozen

"Moving forward, BNB Chain’s validators said they would hold a series of on-chain governance votes that would decide whether the hacked funds should be frozen, as well as whether a bug bounty reward system should be put in place to prevent future hacks."

Binance suspended its blockchain network after hackers exploited a bug in a cross-chain bridge to steal approximately $570 million worth of its BNB token. The hack was caused by a vulnerability in the bridge's smart contract, enabling hackers to forge transactions and send money back to their crypto wallet. While Binance initially estimated the loss to be around $100-110 million, the actual amount was much higher. Most of the stolen funds were unrecovered, although approximately $7 million was frozen with the assistance of security partners. The crypto industry has faced several major hacks involving cross-chain bridges, with sloppy engineering making them attractive targets for cybercriminals.[14]

Hard Fork of Binance Smart Chain

"The Moran hard fork seeks to amend several issues on the BNB Chain stemming from its $100 million hack last week."

Binance has successfully completed a hard fork of its BNB Smart Chain (BSC) network in response to a hack that saw $100 million drained from the network in October. This upgrade, version 1.1.16, aims to address a software weakness exploited in the hack and has led to discussions within the BNB community about how to address the stolen funds. Some options include freezing the funds or using BNB's burn protocol to cover the losses. This incident has sparked a debate about decentralization on the BSC network. Cross-chain transactions on the network are now expected to operate as usual after experiencing delays due to the service outage[25].

BNB Smart Chain has successfully deployed a network upgrade to address cross-chain issues. The upgrade, known as the "Moran hard fork," has resolved the problems stemming from the hack. This has allowed all relevant funds stuck in cross-chain transfers to reach their target wallets or be refunded to the source. While the upgrade had no impact on the trading of Binance Smart Chain tokens on the exchange, deposits and withdrawals of these tokens were temporarily paused. Developers plan to further enhance the network's cross-chain proof verification and implement additional security measures in the coming weeks[24].

Concerns About Centralization

Patrick Hillmann, Chief Communications Officer at Binance, discussed the recent $100 million hack on BNB Chain in an interview. He highlighted that the hack could have been worse if the validators had not taken quick action. The hack targeted BSC Token Hub, a bridge on the BNB Chain, to mint additional BNB tokens. The attack was compared to thieves printing their own money. BNB validators reacted swiftly to lock down the chain, preventing most of the fraudulently minted BNB from leaving the ecosystem. This action prevented a potential $570 million hack. Hillmann emphasized that the ability of a smaller community of 26 validators to work together quickly was crucial in preventing the worst-case scenario. Validators will now hold on-chain governance votes to decide on freezing hacked funds and implementing a bug bounty reward system to prevent future hacks[23].

Total Amount Recovered

The total amount frozen and redistributed has been estimated at $439,000,000 USD.

None of the funds which were bridged to other chains are reported as having been recovered. TBD - Confirm.

Ongoing Developments

TBD

Binance Smart Chain Concerns

Patrick Hillmann, Chief Communications Officer at Binance, discussed the recent $100 million hack on BNB Chain in an interview. He highlighted that the hack could have been worse if the validators had not taken quick action. The hack targeted BSC Token Hub, a bridge on the BNB Chain, to mint additional BNB tokens. The attack was compared to thieves printing their own money. BNB validators reacted swiftly to lock down the chain, preventing most of the fraudulently minted BNB from leaving the ecosystem. This action prevented a potential $570 million hack. Hillmann emphasized that the ability of a smaller community of 26 validators to work together quickly was crucial in preventing the worst-case scenario. Validators will now hold on-chain governance votes to decide on freezing hacked funds and implementing a bug bounty reward system to prevent future hacks[23].

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.


All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.


Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.


In general, blockchain-level exploits can be resolved by reverting the blockchain to a prior state, which restores all funds to their prior ownership and limits potential losses to those who are transacting between the time of the exploit and the time of the revert. Effort should be undertaken by node operators to switch to a branch that eliminates the exploit as soon as possible to minimize losses. Any remaining losses would be resolved through the industry insurance fund.


Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Stoppable Finance [LITE] - by Donovan Choy - Bankless Archive October 10th, 2022 3:20:53 PM MDT (Jul 24, 2023)
  2. Binance hit by $100 million blockchain bridge hack - TechCrunch (Jul 24, 2023)
  3. 3.0 3.1 SlowMist - "Since the $BNB Chain was suspended, the ~$430M on it cannot be transferred any further. In total, over $110M was moved off the BNB Chain Frozen: ~6,5M $USDT Supplied to lending pools: ~$37.5M Borrowed: ~$16.5M Still have access to: $83.3M" - Twitter (Jul 24, 2023)
  4. Binance Smart Chain | Binance Bridge | Binance Panama (Jul 24, 2023)
  5. 5.0 5.1 5.2 Binance Bridge 2.0 is set to welcome almost all Ethereum tokens - Watcher.Guru (Jul 24, 2023)
  6. 6.0 6.1 6.2 6.3 6.4 Hacker Exploits Bug to Steal Millions Fom Binance Bridge - BankInfoSecurity (Jul 24, 2023)
  7. 7.0 7.1 7.2 DardaniaBNB - Temporary Pause of BSC - Reddit (Jan 23, 2024)
  8. 8.0 8.1 samczsun - "Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I've been working closely with multiple parties to triage and resolve this issue. Here's how it all went down." - Twitter (Jul 24, 2023)
  9. 9.0 9.1 samczsun - "Either Binance was finally running the biggest giveaway that Web3 had ever seen, or the attacker had found a critical bug" - Twitter (Jul 24, 2023)
  10. 10.0 10.1 Thread by @samczsun on Thread Reader App – Thread Reader App (Jul 24, 2023)
  11. 11.0 11.1 11.2 Changpeng Zhao - "An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly." - Twitter (Jul 24, 2023)
  12. 12.0 12.1 Hacker steals $566 million worth of crypto from Binance Bridge - BleepingComputer (Jul 24, 2023)
  13. Rashmi Ramesh - "@Binance paused its #smartcontract platform after a hacker exploited an internal verification vulnerability to steal #cryptocurrency from its cross-chain bridge" - Twitter (Aug 20, 2023)
  14. 14.0 14.1 $570 million worth of Binance’s BNB token stolen in another major crypto hack - CNBC (Sep 12)
  15. 15.0 15.1 15.2 BNB Chain Ecosystem Update - BNBChain Blog (Jul 24, 2023)
  16. Hackers steal around $100 million cryptocurrency from Binance-linked blockchain - Reuters Archive October 7th, 2022 4:31:38 AM MDT (Jan 22, 2024)
  17. A $568 Million Hack of Binance Coin Roils Crypto Sector Anew - Reddit (Mar 14, 2024)
  18. 18.0 18.1 Hackers steal around $100 million cryptocurrency from Binance-linked blockchain - Reddit (Mar 14, 2023)
  19. 19.0 19.1 19.2 Binance Hit By $570 Million Blockchain Bridge Hack - Investopedia (Jul 24, 2023)
  20. Binance Blockchain Hit by $570 Million Hack, Exposing Crypto Vulnerabilities - New York Times (Sep 12)
  21. Rashmi Ramesh - "Update: @binance restored operations on its BSC Token Hub smart contract, hours after a $568.6 million hack. It upgraded the vulnerable contract, shared plans to address this incident and boost #security measures. @CertiK and @peckshield share insights." - Twitter (Aug 20th, 2023)
  22. Binance-linked blockchain hit by $570 million crypto hack - Reuters (Jan 22, 2024)
  23. 23.0 23.1 23.2 23.3 Binance Exec: BNB Smart Chain Hack Could Have Been Worse if Validators Hadn’t ‘Sprung Into Action’ - CoinDesk (Jul 24, 2023)
  24. 24.0 24.1 BNB Chain Upgrade Restores Cross-Chain Transfers Following Binance Bridge Hack - Decrypt (Jul 24, 2023)
  25. 25.0 25.1 Binance says it successfully completed the BSC hard fork after hack - Forkast News (Dec 22, 2022)
  26. 26.0 26.1 26.2 Binance Bridge Hack in Layman's Terms - Zellic (Jul 24, 2023)

Cite error: <ref> tag with name "newsletter-11414" defined in <references> is not used in prior text.