Binance Restores Cross-Chain Bridge After $569M Attack

Cryptocurrency exchange Binance restored operations on its BSC Token Hub smart contract early Friday, hours after a hacker stole BNB Binance chain native tokens worth $568.6 million.

See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity

BSC Token Hub is the native cross-chain bridge between Binance’s BNB Beacon Chain and BNB Smart Chain. Cross-chain bridges allow the transfer of crypto assets and information across blockchains.

A “vast majority of the funds remain under control,” the company says, without sharing further details. A Reddit post from the company says it froze $7 million of the stolen funds.

Blockchain security firm PeckShield said on Thursday night that the attacker moved $89.5 million of the stolen funds off the Binance chain. Blockchain security firm CertiK pegged the number at $110.7 million as of early Friday morning.

The company says it “own(s) this [the attack]” and upgraded the vulnerable contract to version v1.1.15 to “stop hacker accounts from acting.” It did not specify how it will do so.

Further upgrades are expected, even as validators confirm their statuses in parallel, the company said around 7:00 a.m. UTC on Friday.

The BSC Token Hub uses a consensus mechanism requiring multiple validators to approve transactions. It has 26 active validators, among a total of 44.

“Decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading. This delayed closure, but we were able to minimize the loss,” the company says.

The incident is the latest in a series of attacks on cross-chain bridges. Blockchain security company Chainalysis pegs the amount of cryptocurrency stolen from bridges this year at $2 billion. Attacks on bridges accounted for 69% of total funds stolen in 2022 through July, it says.

The latest incident is the third-largest attack on cross-chain bridges in the past two years, paling in comparison only to the $615 million hack on Ronin Network and $612 million Poly Network incident.

Attack Details

The attacker was able to forge proof messages that were then accepted by the BSC Token Hub bridge. The bug likely was a result of the bridge not fully verifying the Merkle proof to the root hash, which allowed the attacker to generate forged proofs from a previous, legitimate one and then mint BNB directly to their wallet, CertiK tells Information Security Media Group. It explains that the attack is unique because the hacker did not steal existing funds, but minted new ones.

The attack appears to have begun around 10:00 p.m. UTC on Thursday. At around 1:00 a.m. UTC, the attacker’s wallet showed crypto worth about $586 million, PeckShield told ISMG at the time.

Popular crypto investigator @samczsun, who is a researcher at web3 investment firm Paradigm, explained the technical details of the attack process in a series of tweets:

Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I’ve been working closely with multiple parties to triage and resolve this issue. Here’s how it all went down. pic.twitter.com/E0885Dc3lW

— samczsun (@samczsun) October 6, 2022

Mitigation

Binance looks to hold on-chain governance votes to determine whether or not to offer a 10% bounty for catching the hacker and returning the funds, set up a bug bounty program to offer $1 million for those who report “significant” bugs, freeze the hacked funds and use BNB auto-burn to restore the remaining hacked funds. Crypto companies use coin burning as a mechanism to permanently remove a predetermined number of coins from circulation.

The company says it will set up a new on-chain governance mechanism on the BNB Chain to “fight and defend future possible attacks” and also increase the number of community validators. Blockchain projects, especially decentralized ones, use the governance mechanism to distribute decision-making voting powers among their users.

Binance says it will share the lessons from the incident and implement security measures to shore up cross-chain vulnerabilities. Blockchain security firm BlockSec shared technical details of how companies that run cross-chain platforms can secure themselves:

1/ The Binance cross-chain bridge has been attacked. The root cause is due to the vulnerability in the message verification, as reported by @samczsun (https://t.co/tfiuNSvkh0).
In fact, bridges have been valuable targets for attackers. The figure shows the representative ones. pic.twitter.com/QPCgNEaiD0

— BlockSec (@BlockSecTeam) October 7, 2022