Hacker steals $566 million from Binance Bridge using proof-forgery exploit
An exploit discovered in the exchange platform's proof verifier let the hacker take 2m BNB without raising alarm bells
Cryptocurrency exchange platform Binance has reported a theft of $566 million of Binance Coin (BNB) tokens.
An unidentified user exploited a vulnerability to release two payments of 1 million BNB token directly to their account, the company confirmed. The transfers were made at 18:26 and 20:43 UTC respectively.
Binance quickly froze its Smart Chain (BSC) to keep the funds from being deposited off-chain, but is believed to have already stolen between $100-110 million by the time that action was taken.
“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologise for the inconvenience and will provide further updates accordingly,” tweeted Changpeng Zhao, CEO of Binance.
Online researchers speculated that the hacker was able to forge a ‘proof’ to validate the transfer of the funds, as their methodology was sophisticated enough to avoid detection for some hours after the transfers had been made.
“In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages,” said one web3 researcher, who goes by the alias of samczsun, in a tweet. "Fortunately, the attacker here only forged two messages, but the damage could have been far worse."
This hypothesis has since been confirmed in a Reddit thread by a Binance developer, who stated that “the exploit was through a sophisticated forging of the low-level proof into one common library.”
"The blockchain ecosystem contains many technologies besides the core blockchain," said Oded Vanunu, head of products vulnerability research at Check Point. "Some of the technologies that support the ecosystems are Bridges which are responsible to transfer data between blockchain networks and Oracles that are responsible for delivering data from the internet to the smart contracts.
The future of work is already here. Now’s the time to secure it.
Robust security to protect and enable your businessFree Download
"Hacking groups are making big efforts in the last year to hack these “injections” points that connect networks and are looking for vulnerabilities mainly in the smart contracts and platforms assets such as bridges," he added. "Once hackers manage to exploit vulnerabilities on the platforms or on the ecosystem, they have direct access in the context of the blockchain networks and this is why we see major hacks.
"In our opinion, this is going to continue to happen and we expect blockchain vendors to make sure they secure every layer in their blockchain networks, application logic layers & actual blockchain infrastructures."
When cryptocurrency is created and added to the blockchain, it must be verified as legitimate - ‘proof’ refers to the consensus mechanisms in place to carry this out, typically either ‘proof of work’ or ‘proof of stake’.
In proof of work, crypto miners solve mathematical problems to trade computational power or energy in exchange for coins worth a set value. The ‘solved’ problem is itself its own proof of validation, added to the blockchain to ensure that the number of coins within the system remains fixed. It is used by cryptocurrencies such as Bitcoin.
Proof of stake, the validation method used by BNB, selects users as ‘validators’ to stake their coins as capital and check new blockchain data to ensure that it passes verification. In return, validators are given fresh coins.
The blockchain is billed as more secure than conventional investment platforms, but concerns remain over how safe cryptocurrencies are.
"Last year, a total of $2.74 billion was lost across 132 separate incidents," said Rebecca Moody, head of data research at Comparitech. "With 129 attacks and counting, 2022 looks set to be an unprecedented year for crypto heists with record-breaking amounts stolen despite the drop in value across many cryptos."
Amidst the attacks, more money than ever at risk as inflation drives greater numbers to invest in cryptocurrencies. In 2021, the Financial Conduct Authority issued a warning that those investing in Bitcoin “should be prepared to lose all their money”.
AI for customer service
IBM Watson Assistant solves customer problems the first timeView now
Solve cyber resilience challenges with storage solutions
Fundamental capabilities of cyber-resilient IT infrastructureFree Download
IBM FlashSystem 5000 and 5200 for mid-market enterprises
Manage rapid data growth within limited IT budgetsFree download
Leverage automated APM to accelerate CI/CD and boost application performance
Constant change to meet fast-evolving application functionalityFree Download