Ankr Under Attack: Unlimited Minting of aBNBc Token Pegged to BNB
Ankr, a provider of node infrastructure for Proof-of-Stake blockchains, has fallen victim to a security breach, with hackers aggressively dumping BNB.
Update - December 2nd, Evening:
Following an assessment of the attack, Ankr has announced that the damage from the reckless minting of the aBNBc token amounts to approximately $5 million. To address this issue, Ankr has proposed the following measures:
- Snapshot balances and compensate holders of aBNBc prior to the attack.
- Repurchase $5 million worth of BNB from the market to offset the losses caused by the hacker’s dump.
2/ We will take a snapshot and reissue ankrBNB to all valid aBNBc holders before the exploit.
— Ankr (@ankr) December 2, 2022
The ankrBNB token will continue to be redeemable, while aBNBc and aBNBb will no longer be redeemable.
Ankr has stated that it is fully aware of the severity of the situation and has implemented measures to prevent similar incidents in the future.
Update - December 2nd, 2:30 PM:
According to Binance CEO CZ, initial analysis suggests that the attackers compromised Ankr’s private key and updated the smart contract to a malicious one. Binance temporarily suspended withdrawals a few hours ago and has frozen approximately $3 million that the hackers had moved to Binance’s CEX.
Possible hacks on Ankr and Hay. Initial analysis is developer private key was hacked, and the hacker updated the smart contract to a more malicious one. Binance paused withdrawals a few hrs ago. Also froze about $3m that hackers move to our CEX.
— CZ 🔶 BNB (@cz_binance) December 2, 2022
Notably, the Binance CEO also announced that accounts exploiting the infinite minting of aBNBc to profit up to $15.5 million BUSD have been frozen.
1/ A SmartMoney made 15.5M $BUSD with 10 $BNB!
— Lookonchain (@lookonchain) December 2, 2022
After Ankr Exploiter dumped aBNBc, he bought 183,885 aBNBc with just 10 $BNB($2,879).
Then deposited 183,885 aBNBc into @Helio_Money as collateral and borrowed 16M $HAY.
In the end, sold 16M $HAY and get 15.5M $BUSD. pic.twitter.com/Z72t1JG78t
Original Report:
According to alerts from on-chain monitoring services Nansen and Peckshield, Ankr’s protocol appears to be experiencing a severe security issue. Someone minted 10 trillion aBNBc tokens in the first instance, causing the token’s price to plummet nearly 100%. aBNBc is Ankr’s staking product, pegged to the BNB token.
1/ There has been an exploit on Ankr and someone has minted like 6 (quadrillion?) worth of ABNBC
— Nansen Intern 🧭 (@nansen_intern) December 2, 2022
They are swapping with whatever liquidity there is and then tornado'ing out
Track it here: https://t.co/M3PveLkv4w
Good tweets from others below 👇 pic.twitter.com/sFL0578Wpc
Specifically, the hacker transferred 900 BNB (~$253,000) to Tornado Cash, bridged USDC and ETH to Ethereum, and used 1inch for preliminary testing with 1 ETH.
#PeckShieldAlert Ankr Exploiter has transferred 900 $BNB (~$253k) into Tornado Cash & bridged $USDC & $ETH to Ethereum, the exploiter currently holds 3k $ETH (~$3.8M) & 500k $USDC
— PeckShieldAlert (@PeckShieldAlert) December 2, 2022
Ankr Exploiter currently holds 19,999,999,972,926 $aBNBc & becomes the 13th largest holder of $aBNBc pic.twitter.com/TioTnuFqbP
The hacker currently holds 3,000 ETH (~$3.8 million), 500,000 USDC, a significant amount of aBNBc, and is now the 13th largest holder of aBNBc.
#PeckShieldAlert Ankr exploiter copycat? The second huge mint: https://t.co/pmVjIk9Nzi pic.twitter.com/5abcVVUnHE
— PeckShieldAlert (@PeckShieldAlert) December 2, 2022
Just moments ago, the hacker initiated a second round of massive minting, and it’s likely not yet over.
Following the attack, the total supply of aBNBc, according to the smart contract, has ballooned to an astronomical 60 decimal places.
Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.
— Ankr (@ankr) December 2, 2022
PeckShieldAlert:
The project has promptly issued a notice and is working with exchanges to address the issue.
BNB has also been impacted, experiencing a significant drop to $286.6 and currently trading around $288.1.
Price Movement of aBNBc - TradingView - December 2nd, 2022
15m Chart of BNB/USDT on Binance at 10:00 AM, December 2nd, 2022
Ankr, a node infrastructure provider for Proof-of-Stake blockchains, was previously attacked in July, affecting Polygon and Fantom.
