[Feature] BNB Chain Suffers the Largest Hack in Crypto History Ever

At midnight of October 7 (GMT+8), BNB Chain (BSC) suffered a massive hacking attack, which involved a total amount of $700 million US dollars including $570 million worth of BNB. According to Changpeng Zhao (CZ), CEO of Binance, the attack that shocked the entire crypto industry was caused by a bug in Binance’s cross-chain bridge, BSC Token Hub. In this regard, we organize and timeline the entire incident, taking a deep dive into this attack. We proudly invited the security team from Beosin to analyze the modus operandi of the attacker.

The Modus Operandi

Binance’s cross-chain bridge, BSC Token Hub, uses a special precompiled contract to verify the IAVL tree when verifying cross-chain transactions. There is a vulnerability in this implementation that could allow an attacker to forge arbitrary messages.

1. The attacker first selects the hash value of a successfully submitted block (specified block: 110217401)

2. Then construct an attack payload as a leaf node on the verification IAVL tree

3. Add an arbitrary new leaf node to the IAVL tree

4. At the same time, add a blank internal node to satisfy the realization proof

5. Adjust the leaf nodes added in step 3 so that the calculated root hash is equal to the correct root hash selected in step 1 for successful submission

6. Finally construct the withdrawal proof of this particular block (110217401). Beosin Trace is currently tracking the stolen funds in real time

The Event Timeline (GMT+8)

October 7th, 12:55 AM

At block height 21955968, the attacker paid 100 BNB by calling the contract to register as a Relayer.

2:26 AM & 4:43 AM

The attacker obtained a total of 2 million BNBs from the BSC Token Hub system contract twice at different timing.

Among them, 900,000 BNBs were deposited on the BNB Chain lending protocol Venus, borrowing 62.5 million BUSD, 50 million USDT, and 35 million USDC. In addition, according to officer_cia, an independent analyst on Twitter, the hack included 1.04 million BNBs, $389 million worth of vBNB, and $28 million in BUSD, a total amount of $718 million. This attack has now become the largest on-chain hack in crypto history.

5:48 AM

Research director from The Block, Eden Au tweeted that Tether has blacklisted the BNB Chain attacker address - 0x489a8756c18c0b8b24ec2a2b9ff3d4d447f79bec - in which holding more than $45 million in ETH.

6:19 AM to 6:35 AM

BNB Chain announced the pausing of BSC due to abnormal activity, all deposits and withdrawals are temporarily suspended until further updates. In another follow-up tweet, BNB Chain said that about $70 million to $80 million was withdrawn and $7 million of it had been frozen.

7:51 AM

CZ tweeted that a bug in BSC Token Hub resulted in the extra BNB forged by the attacker. Nevertheless, he ensures users’ funds are safe.

8:47 AM

Paradigm’s researcher, samczsun tweeted that the on-chain data and related codes show that there is a bug in the verification method of the Binance bridge, which allows attackers to forge arbitrary messages and the damage could be way worse.

9:00 AM

The data shows that the attacker used cross-chain bridges such as Stargate and Multichain to transfer cryptoassets, sending roughly $53.35 million and $48.8 million to the Ethereum and Fantom networks respectively. Meanwhile, there is a remaining $430 million worth of tokens on the BNB Chain.

9:22 AM

BNB Chain requested BSC node validators to contact them in the next few hours so that a node upgrade can be planned.

9:29 AM

CZ retweeted the above tweet but without giving an estimated time on the resume of BSC.

9:45 AM

Blockchain security firm, SlowMist tweeted that the security platform discovered the attacker has interacted with multiple dApps, including Multichain, Venus Protocol, Alpaca Finance, Stargate, Curve, Uniswap, Trader Joe, PancakeSwap, SushiSwap, etc. The addresses on the Avalanche chain in which the attacker transferred 1,729,320 USDT, have been blacklisted, while the addresses on Arbitrum which has 2,000,000 USDT transferred, have not been blacklisted for the time being.

11:30 AM

According to Ouke Cloud Chain, a blockchain big data and technology service provider, the crypto balance in the attacker wallet address is 1.02 million BNB, 41.28 million vBNB, 28.81 million BUSD, and 2.77 million USDT. The cumulative amount of these cryptos is over $700 million. The loss of this hacking incident exceeded Ronin Network’s $620 million, making it the largest amount of money hacked to date. It all started with the initial transfer of 100+ BNBs as attack funds via ChangeNOW, a day prior to the attack. After the transfer, the hacker registered by calling the system RelayerHub contract 0x1006, and then launched the system CrossChain contract 0x2000 attack.

1:02 PM

BNB Chain tweeted the release of BSC v1.1.15, BSC validators are coordinating to seek to restore the BNB Smart Chain (BSC) within 1 hour. The new version will block hacker accounts from acting. In addition, native cross-chain communication between BNB Beacon Chain and BNB Smart Chain is also disabled. All node runners are advised to upgrade to the latest version. Validators and the community will discuss further upgrades to fully address this issue.

2:53 PM

BNB Chain tweeted that BSC is working well now. The validators are confirming their status and community infrastructure are being upgraded.