On Friday, Binance’s CEO Changpeng Zhao announced that the cryptocurrency exchange has paused withdrawals following the hack on BNB Chain-based decentralized finance (DeFi) protocol Ankr. Via a tweet, he shared, “Initial analysis is developer private key was hacked, and the hacker updated the smart contract to a more malicious one.”
Possible hacks on Ankr and Hay. Initial analysis is developer private key was hacked, and the hacker updated the smart contract to a more malicious one. Binance paused withdrawals a few hrs ago. Also froze about $3m that hackers move to our CEX.
— CZ 🔶 Binance (@cz_binance) December 2, 2022
Ankr has confirmed the multi-million dollar hack on its platform on December 1st. The hack which was first discovered by on-chain security analyst PeckShield at about 12:35 am UTC on December 2nd saw the hacker allegedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), which is a reward-bearing token for BNB staked on the protocol. Ankr has, however, confirmed through a tweet that the aBNB token was exploited and that it is working with exchanges to immediately stop the trade of the token which has been compromised.
According to a tweet from on-chain analysis firm Lookonchain, The hacker used services such as Uniswap, Tornado Cash, and different bridges to swap and hide the funds in order to gain about $5 million worth of USD Coin.
Blockchain security firm Beosin suggested that the hack was a result of the vulnerabilities in the smart contract code combined with compromised private keys, which may have appeared from a technical upgrade from Ankr’s team about 12 hours before the incident. It also noted that this mass minting pushed the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap. “It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” a Beosin spokesperson said.
The BNB Chain Twitter page also stated that the exploiter’s wallet address has been blacklisted.
We are aware of the attack on @ankr's aBNBc that happened earlier today, leading to a substantial amount of new aBNBc being minted. The exploiter has been blacklisted.
Our community is on top of it, coordinating a response. We will provide more updates as they become available.
— BNB Chain (@BNBCHAIN) December 2, 2022