In Light Of the Confirmed Exploit, Ankr Has Requested a Trade Suspension

The decentralized-finance protocol announced that it is working with exchanges to stop trading its BNB staking rewards coin, aBNBc, immediately.

A multimillion-dollar exploit was used against the BNB Chain-based decentralized finance (Defi) system Ankr on December 1.

#PeckShieldAlert Seems like @ankr has been exploited, $aBNBc has dropped -50%, tons of $aBNBc have minted to https://t.co/nyfwdd6fWI
and the exploiter transferred some of the stolen funds to Tornado cash or bridged them via celer and deBridgeGate to Ethereum @peckshield pic.twitter.com/vK94dIEWIt

— PeckShieldAlert (@PeckShieldAlert) December 2, 2022

PeckShield, an on-chain security analyst, appears to have spotted the attack for the first time at 12:35 UTC on December 2.

Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.

— Ankr (@ankr) December 2, 2022

Ankr tweeted an hour after the hack to clarify that the aBNB token had been abused and that it was working with exchanges to stop trading the compromised token.

The Ankr Reward Bearing Staked BNB

A reward-bearing token for BNB staked on the protocol, called Ankr Reward Bearing Staked BNB (aBNBc), is said to have been minted by the attacker in the amount of 20 trillion.

All underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.

— Ankr (@ankr) December 2, 2022

The exploiter allegedly used services like Uniswap, Tornado Cash, and several bridges to swap and conceal the funds to earn about $5 million worth of USD Coin, according to a tweet from on-chain analysis company Lookonchain. In a subsequent statement, it also stated that

“all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.

The Technical Improvement

Blockchain security company Beosin commented on the hack and said that the exploit was probably caused by flaws in the smart contract code and stolen private keys, which may have resulted from a recent technical upgrade by the Ankr team.

Seems that @ankr got hacked an hour ago!

The exploiter minted 20T aBNBc and dumped it on #PancakeSwap.

At present, the exploiter have successfully exchanged more than 5 million $USDC.https://t.co/hF1tgNYw0t pic.twitter.com/XIPjBi6wvs

— Lookonchain (@lookonchain) December 2, 2022

According to CoinMarketCap data, the mass minting episode led the price of aBNBc to plunge 99.5% in a couple of hours, from $303.89 to $1.53.

@ankr has been exploited. $aBNBc has dropped -99.5%.
The hacker minted tons of $aBNBc and made a profit of 5,500 BNB (~$1.6 million)
The deployer changed the implementation contract to the vulnerable contract address before the attack (possibly due to private key compromise). pic.twitter.com/GJheXh0oDp

— Beosin Alert (@BeosinAlert) December 2, 2022

📣 We are introducing changes to all Reward Bearing and Earning Tokens token models.

This is a strategic decision that we believe will best serve our community of holders, stakers and liquidity providers 🤝

For a better understanding, read the 🧵 below.https://t.co/N6RjZOtUYH pic.twitter.com/v7wuQnnx8g

— Ankr (@ankr) December 1, 2022

“It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” said Beosin spokesman

The cryptocurrency exchange Binance confirmed in a tweet on December 2 that its team is working with relevant parties to look into the situation further and that its users’ funds are safe. Additionally, the exploiter’s wallet address has been blacklisted, according to the BNB Chain Twitter page.

We are aware of the attack on @ankr's aBNBc that happened earlier today, leading to a substantial amount of new aBNBc being minted. The exploiter has been blacklisted.
Our community is on top of it, coordinating a response. We will provide more updates as they become available.

— BNB Chain (@BNBCHAIN) December 2, 2022