Ankr, a BNB Chain-based decentralized finance (DeFi) protocol, confirmed a multi-million dollar hack on its platform on December 1st. The hack seems to have been first discovered by on-chain security analyst PeckShield at about 12:35 am UTC on December 2nd.
Ankr has confirmed via tweet that the aBNB token was exploited and that it is working with exchanges to immediately stop the trade of the token which has been compromised.
Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.
The hacker was allegedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), which is a reward-bearing token for BNB staked on the protocol.
The hacker used services such as Uniswap, Tornado Cash, and different bridges to swap and hide the funds in order to gain about $5 million worth of USD Coin, according to a tweet from on-chain analysis firm Lookonchain. In another post, it added that “all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”
Blockchain security firm Beosin suggested that the hack was a result of the vulnerabilities in the smart contract code combined with compromised private keys, which may have appeared from a technical upgrade from Ankr’s team about 12 hours before the incident. It also noted that this mass minting pushed the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap. “It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” a Beosin spokesperson said.
@ankr has been exploited. $aBNBc has dropped -99.5%. The hacker minted tons of $aBNBc and made a profit of 5,500 BNB (~$1.6 million) The deployer changed the implementation contract to the vulnerable contract address before the attack (possibly due to private key compromise). pic.twitter.com/GJheXh0oDp
The BNB Chain Twitter page also stated that the exploiter’s wallet address has been blacklisted.
We are aware of the attack on @ankr's aBNBc that happened earlier today, leading to a substantial amount of new aBNBc being minted. The exploiter has been blacklisted. Our community is on top of it, coordinating a response. We will provide more updates as they become available.
In another tweet posted today, the world’s biggest cryptocurrency exchange Binance confirmed that its team is in talks with relevant bodies to investigate the occurrence. It also added that Binance users’ funds are safe.
Ibhadojemu Lucky Emmanuel is a graduate of Education and Economics from the University of Benin. He has a passion for tech and business and has been writing professionally for over a period of five years. He's written across various topics and segments and knew tech-business was it when he first stumbled on it. He has a great passion for music and arts, and wants to visit as many countries as he can someday.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
