BNB Chain, the blockchain of crypto exchange Binance, was paused on Oct. 6 due to an exploit on its cross-chain bridge, with attackers making off with an estimated $100 million worth of cryptocurrency.
The official Twitter account of the BNB Chain first announced the temporary pause due to “irregular activity” on the blockchain but soon after added that it was due to a possible exploit. Binance provided an update that the blockchain was “under maintenance,” suspending all deposits and withdrawals.
To confirm, we have suspended BSC after having determined a potential exploit.
— BNB Chain (@BNBCHAIN) October 6, 2022
All systems are now contained, and we are immediately investigating the potential vulnerability. We know the Community will assist and help freeze any transfers.
All funds are safe.
Rumors had earlier swirled on Twitter that the network had undergone a significant hack, with on-chain analytics showing alleged attackers exploiting roughly two million BNB, the chain’s native token, a value of nearly $600 million.
Hi, @BNBCHAIN Apparently, two huge reward claims
— PeckShield Inc. (@peckshield) October 6, 2022
with each claiming 1M BNB and in total ~$586M rewards are claimed from its token hub. (https://t.co/mMg8o0u7fj) https://t.co/FxRHDdvuPg pic.twitter.com/GSrLSSyRNR
A later update by a BNB Chain developer on Reddit confirmed that the exploit had taken place, stating that the initial estimates for the value of the exploit are between $100 million and $110 million, with roughly $7 million frozen.
BNB Chain said the exploit, which was perpetrated on the BSC Token Hub, resulted in the creation of “extra BNB,” but reassured the public that its systems are contained and user funds are safe while it continues to investigate the vulnerability.
An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.
— CZ Binance (@cz_binance) October 6, 2022
Initial on-chain analysis by Twitter users before the official announcements showed that the attacker claimed a one million BNB reward through the token hub, before depositing the balance into the decentralized finance (DeFi) lending platform Venus Protocol.
They then borrowed $150 million worth of stablecoins spread across USD Coin (USDC), Tether (USDT), and Binance USD (BUSD) using cross-chain bridges to swap the tokens for Ether (ETH), Phantom Protocol (PHM) tokens and Polygon (MATIC) before the BNB Chain was paused.
Before the BNB chain halt, attacker successfully transferred:
— Hacken (@hackenclub) October 6, 2022
≈ $57M to Fantom
≈ $53M to Ethereum
≈ $400k to Polygon
The attacker again exploited another one million BNB, which they placed into Stargate Protocol, another cross-chain bridge provider.
Related: $2B in crypto stolen from cross-chain bridges this year: Chainalysis
Zane Huffman, strategy lead of DeFi platform Vesper Finance, concluded the attacker has made off with roughly $100 million from an initial exploit of nearly $600 million, the figure later provided by Zhao.
The attackers next moves will probably to pull ETH out of bridges back to mainnet and then tornado. They have about around $45 million in ETH on mainnet, another $20 million in bridges (Avalanche and Fantom official).
— GREEN JEFF (The Bread #9) (@jeffthedunker) October 6, 2022
With overcollateralized ETH borrows, they may get $100mm max
Huffman added the attacker has roughly over $400 million worth of digital assets frozen on the BNB Chain, with more possibly stuck in cross-chain bridges on the BNB blockchain side.
Stablecoin provider Tether has also blacklisted the address associated with the exploit.
Updated with further information from BNB Chain, Zhao and initial analysis from various sources.