An exploit of a bug in the Binance-run blockchain network, BNB Chain, allowed a hacker to ‘trick’ the BNB Chain’s BSC Token Hub bridge into sending them roughly US$560 million worth of BNB tokens. This incident renewed concerns involving the security of cross-chain bridges.
The Binance team responded by suspending activity made on the Binance blockchain, freezing a majority of the stolen assets. It’s estimated that the hacker made off with roughly US$100 million worth of assets on other chains.
Within a day of suspension, BNB Chain tweeted that the bridge was up and running again:
In the days following the hack, the price of BNB fell by 5-7%.
Investor funds safe, extra BNB created
BNB Chain is not the first cross-chain bridge to experience a major hack — around $US$625 million worth of WETH and USDC was drained from Ronin earlier in 2022, considered one of the biggest hacks in the history of crypto.
As the BNB Chain hack was revealed, Binance CEO Changpeng ‘CZ’ Zhao quickly moved to reassure users, tweeting that funds were safe:
The ‘extra’ BNB were essentially created from nothing, through an exploit of the bridge’s code.
A detailed analysis tweeted by security expert @samczsun explains how the hack may have been carried out, summarising by saying, “there was a bug in the way that the Binance bridge verified proofs which could have allowed attackers to forge arbitrary messages.”
Next Steps: On-Chain Governance Vote
BNB Chain has said governance votes will determine how to approach the next steps in relation to whether to freeze the hacked funds, whether to use BNB Auto-Burn to cover the remaining hacked funds, and how to deliver a Whitehat program to find future bugs and reward hackers with bounties.
The platform also committed to contributing to a broader conversation about the vulnerabilities in cross-chain bridges, stating:
“We will openly share the details of the postmortem and all lessons on how to implement more advanced security measures to shore-up these vulnerabilities.”
BNB Chain