A new month, a new DeFi hack! While the situation and what happened remains unclear, it looks like a hacker has exploited the decentralized financial protocol Ankr.
As Binance CEO Changpeng Zhao (CZ) stated a few hours ago, there are possible hacks on Ankr and Hay. According to initial analysis, the developer’s private key was hacked, which enabled the attacker to manipulate an Ankr smart contract.
Blockchain security company PeckShield stated via Twitter:
Our analysis shows the $aBNBc token contract has an unlimited mint bug. Specifically, while mint() is protected with onlyMinter modifier, there is another function (w/ 0x3b3a5522 func. signature) that completely bypasses the caller verification to have arbitrary mint !!!
Through this, the attacker was able to mint 6 quadrillion aBNBc tokens, which he converted into around 5 million USDC. CZ informed that Binance paused withdrawals a few hours ago. It also froze about $3 million that was moved to Binance by the hacker.
Possible hacks on Ankr and Hay. Initial analysis is developer private key was hacked, and the hacker updated the smart contract to a more malicious one. Binance paused withdrawals a few hrs ago. Also froze about $3m that hackers move to our CEX.
— CZ 🔶 Binance (@cz_binance) December 2, 2022
Binance Users Are Not Affected In All The Chaos
The price of the aBNBc token has plummeted by almost 100% since the exploit. Recent reports suggest that the attacker has already transferred some of the stolen funds to Tornado Cash. Part of the looted cryptocurrency was bridged via Celer and deBridgeGate, according to security company PeckShield.
That same company had conducted an audit for Ankr a few months ago, warning of a “trust issue with admin keys” that privileged the minting of aBNB tokens. While the Ankr team “acknowledged” the warning, it appears they did not fix it.
Just recently, the BNB Chain had introduced the liquid staking feature through Ankr, which allowed users to earn interest by assigning BNB tokens to the liquid staking contract and receive aBNBc.
However, Binance quickly gave the all-clear, saying that the BNB team is in contact with the affected parties. “This is not an attack against #Binance, and your funds are SAFU on our exchange,” it said in a statement via Twitter.
Since the hacker almost completely emptied the aBNBc liquidity pools on PancakeSwap and ApeSwap, the price of aBNBc has dropped by 99.5% after the exploit.
Opportunistic Trader Turns Less Than $3k Into $15.5 Million
According to the analytics company Lookonchain, an opportunistic trader took advantage of the situation and made a profit of 15.5 million BUSD with a minimal wager of 10 BNB.
After Ankr exploiter dumped aBNBc, the trader bought 183,885 aBNBc with only 10 BNB worth $2,879, then deposited 183,885 aBNBc with Helio as collateral and borrowed 16 million HAY. In the end, he sold 16 million HAY and received 15.5 million BUSD.
The HAY stablecoin saw a massive depeg as a result. The price of the stablecoin dropped to $0.21 at times, but still managed to gradually recover to $0.61 at press time.
Notably, Binance Labs made a strategic investment in Ankr in August 2022. The investment by Binance Labs was aimed at helping Ankr further improve the scalability of blockchain networks.
Maybe in the wake of the news, the BNB price has seen a slide of 3.1% and was trading at $290 at press time.