The world’s largest cryptocurrency exchange suspended trading on a smart contract blockchain after a hacker took at least $100 million in stolen cryptocurrency. Independent observers say the attack on the Binance Smart Chain actually netted the hacker $586 million.
Changpeng “CZ” Zhao, chief executive of Binance, says the company asked all validators to suspend BSC and is resolving the issue “Your funds are safe. We apologize for the inconvenience,” Zhao tweeted. He linked to a Reddit post asserting that “the issue is contained now.” BSC uses a consensus mechanism requiring multiple validators to approve transactions. The BSC blockchain runs in parallel with the Binance Chain.
The attacker found a vulnerability on the BSC Token Hub, a cross-chain bridge, by exploiting the smart contract blockchain’s internal verification logic, which allowed for a “huge reward claim,” cybersecurity firm PeckShield tells Information Security Media Group. PeckShield also estimates the total loss to be $586 million, saying that $89.5 million of the stolen funds have already been moved off the Binance Smart Chain.
The incident is the latest in a series of attacks on cross-chain bridges. Blockchain security company Chainalysis pegs the amount of cryptocurrency stolen from bridges this year at $2 billion. Attacks on bridges accounted for 69% of total funds stolen in 2022 through July, it says.
Cross-chain bridges allow the transfer of crypto assets and information across independent blockchains.
The attack appears to have begun around 10 p.m. UTC. At 11:51 p.m. UTC, Zhao said the stolen amount was $100m. At around 1 a.m. UTC, the attacker’s wallet showed about 2 million BSC tokens, an amount worth about $586 million, PeckShield says.
Popular crypto investigator @samczsun, who is a researcher at web3 investment firm Paradigm, explained the technical details of the attack process in a series of tweets:
Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I’ve been working closely with multiple parties to triage and resolve this issue. Here’s how it all went down. pic.twitter.com/E0885Dc3lW
— samczsun (@samczsun) October 6, 2022
In a bid to address the vulnerability, Binance appears to be working to fix the code with a node upgrade. “We request BSC Validators to get in touch with us within the next few hours so that we can plan a node upgrade,” Binance’s decentralized network BNB Chain tweeted.
It is unclear when the patch will be issued. “No ETA yet. Let’s give the devs time to fully understand the root cause, implement the fixes, test them thoroughly, and then resume. Let’s not rush it now,” he added.