BNB Chain, a blockchain linked to the Binance cryptocurrency exchange, disclosed an exploit on a cross-chain bridge that drained around $100 million in digital assets.
“There was an exploit affecting the native cross-chain bridge between BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC), known as ‘BSC Token Hub,'” it said last week. “The exploit was through a sophisticated forging of the low level proof into one common library.”
According to Binance CEO Changpeng Zhao, the exploit on the cross-chain bridge “resulted in extra BNB,” prompting a temporary suspension of the Binance Smart Chain (BSC).
“BNB, which stands for ‘Build and Build’ (formerly called Binance Coin), is the blockchain gas token that ‘fuels’ transactions on BNB Chain,” Binance noted earlier this February.
No user funds are said to have been impacted, since the vulnerability in the BSC Token Hub bridge enabled the unknown threat actor attacker to mint new BNB tokens in an unauthorized manner.
While the hack involved the withdrawal of two million BNB in two transactions, the suspension of the chain prevented the theft of nearly $430 million in crypto, blockchain security firm SlowMist said.
It is the latest in a series of major incidents targeting cross-chain bridges – which facilitate transfer of assets between blockchains – this year, after that of Axie Infinity, Harmony Horizon Bridge, and Nomad Bridge.
Blockchain analytics firm Chainalysis, in August, estimated that $2 billion worth of cryptocurrency had been stolen in 13 cross-chain bridge attacks, accounting for 69% of total funds stolen in 2022.
The development also comes as cybersecurity company Bitdefender revealed details of a cryptojacking campaign that exploits known DLL side-loading vulnerabilities in Microsoft OneDrive to establish persistence and deploy crypto miner software.
In a related development, Trend Micro revealed that a malicious actor dubbed Water Labbu targeted 45 crypto-based fraudulent websites operated by other criminals to divert victims’ funds to a wallet under their control.
“In a parasitic manner, the threat actor compromised the websites of other scammers posing as a decentralized application (DApp) and injected malicious JavaScript code into them,” the company said in an analysis last week.