Over the past year, weaknesses in blockchain bridges have been responsible for record-setting crypto hacks. Binance, the world’s largest crypto exchange by volume, is the latest victim. While it looks like the final amount stolen will fall short of setting a record, the $566 million that thieves made off with is close to the $615 million record set in the similar breach of the Ronin bridge earlier this year.
The attack led to a temporary shutdown of trading on October 6. The crypto hack was reportedly sophisticated, making use of a forgery of the “proof of authority” system the Binance Smart Chain (or BNB Chain) uses for authentication of transactions.
Crypto hack hits Binance for $566 Million, temporarily halts trading
Like some of the other crypto hacks this year that have ended up totaling hundreds of millions of dollars in damages, the Binance strike targeted a decentralized bridge. The attackers manipulated the BSC Token Hub bridge, which connected the BNB Smart Chain and BNB Beacon Chain to facilitate token exchange, to pass forged proof messages by exploiting a previously unknown vulnerability involving the use of previous known good legitimate proofs. The attackers were then able to generate BNB directly to wallets under their control.
The attackers have thus far been able to exfiltrate about $110 million in coins to other blockchains. The bulk of the stolen funds, totaling about $430 million, was trapped in the attacker’s wallets when Binance halted trading temporarily on Thursday. This prevents the thieves from moving them further, but recovery is very difficult without direct access to the wallet. Binance CEO Changpeng Zhao has assured platform users that their funds “are safe” and that more updates would be coming as the situation develops.
Formerly known as Binance Coin, the BNB coin is one of the world’s five largest and has an estimated market value of $45 billion. Of the roughly $110 million the attacker has been able to abscond with so far, it has mostly been converted to USD Coin and Tether. The platform validators will gather for a vote as to whether or not to leave the remainder of the funds frozen.
As with other recent decentralized finance attacks, the attackers looked to exploit some sort of flaw in the system to attack the coin reserves of the backing platform itself rather than find ways into the wallets of individual users. As the attackers used what was essentially a bug in the protocol to mint new coins, coin holders should not need to be made whole by the platform. The damage in these cases is more indirect, represented by a general drop in value of the coin and a blow to the overall stability of the enterprise; BNB dropped by 4% on news of the crypto hack and has continued to slide in the following days.
Binance announced several security improvements on Friday in response to the crypto hack, including a new governance method and an increase in the number of active validators (currently 26).
Chain of major crypto hacks prompting changes, increasing desire for regulations
The Binance crypto hack makes a bad year for decentralized finance worse, as multiple bridges have been hit for tens to hundreds of millions of dollars. The biggest of these attacks was on Ronin Bridge, believed to be conducted by North Korea’s state-sponsored hackers and making use of social engineering (via an elaborate fake job offer) to gain access to an engineer’s account. The Poly Network breach of August 2021 was roughly as big, but the hacker was convinced to return the funds under the auspices of a “bug bounty” demonstration.
Other bridges have not fared so well, also losing substantial amounts of money. The breach of the Wormhole Bridge, in which attackers took about $320 million, also involved a flaw in code that allowed forgeries to be used to access the system. Nomad Bridge lost about $200 million in August when hackers came across a misconfiguration in its smart contract code allowing for “double dipping” on existing approved transactions. And the Qubit Finance bridge lost $80 million earlier in the year that involved yet another code vulnerability that allowed for the injection of malicious data.
Crypto’s central appeal has traditionally been that it is unregulated, untethered from fiat currency systems and largely beyond the reach of world governments. Moods are shifting in some circles, however, as lax security (particularly in the world of decentralized finance) and repeated breach incidents make a case for the imposition of some sort of standards and oversight. Binance has already been leaning in this direction for some time, having called for regulation aimed at protecting users and limiting financial crimes since 2021.