IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hacker steals $566 million from Binance Bridge using proof-forgery exploit

An exploit discovered in the exchange platform's proof verifier let the hacker take 2m BNB without raising alarm bells

Cryptocurrency exchange platform Binance has reported a theft of $566 million of Binance Coin (BNB) tokens.

An unidentified user exploited a vulnerability to release two payments of 1 million BNB token directly to their account, the company confirmed. The transfers were made at 18:26 and 20:43 UTC respectively.

Binance quickly froze its Smart Chain (BSC) to keep the funds from being deposited off-chain, but is believed to have already stolen between $100-110 million by the time that action was taken.

“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologise for the inconvenience and will provide further updates accordingly,” tweeted Changpeng Zhao, CEO of Binance.

Online researchers speculated that the hacker was able to forge a ‘proof’ to validate the transfer of the funds, as their methodology was sophisticated enough to avoid detection for some hours after the transfers had been made. 

“In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages,” said one web3 researcher, who goes by the alias of samczsun, in a tweet. "Fortunately, the attacker here only forged two messages, but the damage could have been far worse."

This hypothesis has since been confirmed in a Reddit thread by a Binance developer, who stated that “the exploit was through a sophisticated forging of the low-level proof into one common library.”

"The blockchain ecosystem contains many technologies besides the core blockchain," said Oded Vanunu, head of products vulnerability research at Check Point. "Some of the technologies that support the ecosystems are Bridges which are responsible to transfer data between blockchain networks and Oracles that are responsible for delivering data from the internet to the smart contracts.

Related Resource

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Whitepaper cover with BT logo and title, and businessman looking into the distanceFree Download

"Hacking groups are making big efforts in the last year to hack these “injections” points that connect networks and are looking for vulnerabilities mainly in the smart contracts and platforms assets such as bridges," he added. "Once hackers manage to exploit vulnerabilities on the platforms or on the ecosystem, they have direct access in the context of the blockchain networks and this is why we see major hacks.

"In our opinion, this is going to continue to happen and we expect blockchain vendors to make sure they secure every layer in their blockchain networks, application logic layers & actual blockchain infrastructures."

When cryptocurrency is created and added to the blockchain, it must be verified as legitimate - ‘proof’ refers to the consensus mechanisms in place to carry this out, typically either ‘proof of work’ or ‘proof of stake’.

In proof of work, crypto miners solve mathematical problems to trade computational power or energy in exchange for coins worth a set value. The ‘solved’ problem is itself its own proof of validation, added to the blockchain to ensure that the number of coins within the system remains fixed. It is used by cryptocurrencies such as Bitcoin.

Proof of stake, the validation method used by BNB, selects users as ‘validators’ to stake their coins as capital and check new blockchain data to ensure that it passes verification. In return, validators are given fresh coins.

The blockchain is billed as more secure than conventional investment platforms, but concerns remain over how safe cryptocurrencies are.

Web3 projects have already lost more than $2 billion to hacks and exploits in 2022, with hacks such as the recent $4 million theft of Solana and USD Coin from Slope wallets.

"Last year, a total of $2.74 billion was lost across 132 separate incidents," said Rebecca Moody, head of data research at Comparitech. "With 129 attacks and counting, 2022 looks set to be an unprecedented year for crypto heists with record-breaking amounts stolen despite the drop in value across many cryptos."

Amidst the attacks, more money than ever at risk as inflation drives greater numbers to invest in cryptocurrencies. In 2021, the Financial Conduct Authority issued a warning that those investing in Bitcoin “should be prepared to lose all their money”.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Google rolls out patch for high-severity Chrome browser zero day
zero-day exploit

Google rolls out patch for high-severity Chrome browser zero day

25 Nov 2022