Hacker steals $566m from Binance Bridge using proof-forgery exploit
Cryptocurrency exchange platform Binance has reported a theft of $566 million of Binance Coin (BNB) tokens.
An unidentified user exploited a vulnerability to release two payments of 1 million BNB token directly to their account, the company confirmed. The transfers were made at 18:26 and 20:43 UTC respectively.
Binance quickly froze its Smart Chain (BSC) to keep the funds from being deposited off-chain, but is believed to have already stolen between $100-110 million by the time that action was taken.
“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologise for the inconvenience and will provide further updates accordingly,” tweeted Changpeng Zhao, CEO of Binance.
Online researchers speculated that the hacker was able to forge a ‘proof’ to validate the transfer of the funds, as their methodology was sophisticated enough to avoid detection for some hours after the transfers had been made.
“In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages,” said one Web3 researcher, who goes by the alias of samczsun, in a tweet. “Fortunately, the attacker here only forged two messages, but the damage could have been far worse.”
This hypothesis has since been confirmed in a Reddit thread by a Binance developer, who stated that “the exploit was through a sophisticated forging of the low-level proof into one common library”.
“The blockchain ecosystem contains many technologies besides the core blockchain,” said Oded Vanunu, head of products vulnerability research at Check Point. “Some of the technologies that support the ecosystems are ‘bridges’ which are responsible to transfer data between blockchain networks and ‘oracles’ that are responsible for delivering data from the Internet to the smart contracts.
“Hacking groups are making big efforts in the last year to hack these injections points that connect networks and are looking for vulnerabilities mainly in the smart contracts and platforms assets such as bridges,” he added. “Once hackers manage to exploit vulnerabilities on the platforms or on the ecosystem, they have direct access in the context of the blockchain networks and this is why we see major hacks.
“In our opinion, this is going to continue to happen and we expect blockchain vendors to make sure they secure every layer in their blockchain networks, application logic layers & actual blockchain infrastructures.”
When cryptocurrency is created and added to the blockchain, it must be verified as legitimate – ‘proof’ refers to the consensus mechanisms in place to carry this out, typically either ‘proof of work’ or ‘proof of stake’.
In proof of work, crypto miners solve mathematical problems to trade computational power or energy in exchange for coins worth a set value. The ‘solved’ problem is itself its own proof of validation, added to the blockchain to ensure that the number of coins within the system remains fixed. It is used by cryptocurrencies such as Bitcoin.
Proof of stake, the validation method used by BNB, selects users as ‘validators’ to stake their coins as capital and check new blockchain data to ensure that it passes verification. In return, validators are given fresh coins.
The blockchain is billed as more secure than conventional investment platforms, but concerns remain over how safe cryptocurrencies are.
Web3 projects have already lost more than $2 billion to hacks and exploits in 2022, with hacks such as the recent $4 million theft of Solana and USD Coin from Slope wallets.
“Last year, a total of $2.74 billion was lost across 132 separate incidents,” said Rebecca Moody, head of data research at Comparitech. “With 129 attacks and counting, 2022 looks set to be an unprecedented year for crypto heists with record-breaking amounts stolen despite the drop in value across many cryptos.”
Ⓒ Future Publishing
Subscribers 0
Fans 0
Followers 0
Followers