Cryptocurrency

Ankr confirms exploit, asks for immediate trading halt

BNB Chain-based decentralized finance (DeFi) protocol Ankr has confirmed it has been hit by a multi-million dollar exploit on Dec. 1.

The attack appeared to be first discovered by on-chain security analyst PeckShield at approximately 12:35 am UTC on Dec. 2. 

Within an hour of the attack, Ankr confirmed on Twitter that the aBNB token has been exploited and that they’re working with exchanges to immediately halt trading of the compromised token.

The attacker was purportedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), a reward-bearing token for BNB staked on the protocol.

According to a Twitter post from on-chain analysis firm Lookonchain, the exploiter has since used services such as Uniswap, Tornado Cash, and various bridges to swap and obfuscate the funds in order to gain around $5 million worth of USD Coin (USDC).

It also added in a following post that “all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”

In comments to Cointelegraph about the attack, blockchain security firm Beosin suggested the exploit was likely the result of vulnerabilities in the smart contract code combined with compromised private keys, which may have come from a technical upgrade by the Ankr team about 12 hours ago.

Beosin also noted that the mass minting episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap.

“It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” a Beosin spokesperson told Cointelegraph.

In a Dec. 2 Twitter post, crypto exchange Binance confirmed its team is engaged with relevant parties to investigate the matter further, adding that Binance’s user funds are not at risk. The BNB Chain Twitter page also stated that the exploiter’s wallet address has been blacklisted.

Cointelegraph contacted Ankr when the exploit was first discovered but did not receive an immediate response.

Update 4:30am UTC Dec. 2: Added in an official statement from Ankr comments from Beosin.

Update 5:30am UTC Dec. 2: Added a statement from Binance’s BNB Chain Twitter account.