- The hacker exploited a bug in Ankr’s aBNBc smart contract which allowed him to mint six quadrillion aBNBc tokens.
- Assessing the damage at around 5 million USD, Ankr has announced to compensate all the affected users.
Earlier today, DeFi protocol Ankr, also popular as the first ‘node-as-a-service’ platform, faced a massive exploit due to a bug in its code that allowed the hacker unlimited minting of its token aBNBc.
Blockchain analytics and security platform PeckShield was among the first to report the hack. They noted that the code behind Ankr’s aBNBc smart contract allowed any user to mint an unlimited amount of reward-bearing staking tokens without any need for verification. As a result, the attacker ended up minting six quadrillion aBNBc tokens.
Our analysis shows the $aBNBc token contract has an unlimited mint bug. Specifically, while mint() is protected with onlyMinter modifier, there is another function (w/ 0x3b3a5522 func. signature) that completely bypasses the caller verification to have arbitrary mint !!! https://t.co/h51e7xpcVf pic.twitter.com/caRgasNNHq
— PeckShield Inc. (@peckshield) December 2, 2022
After minting these massive amounts of aBNBc tokens, the hacker was successful in swapping 20 trillion tokens for BNB and further moving them to crypto mixer TornadoCash. Later, the attacker swapped these BNB tokens for a staggering 5 million USDC or $5 million. According to information by PeckShield, part of the looted digital assets were bridged via Celer and deBridgeGate.
With this, the hacker has completely drained the aBNBc liquidity pools of ApeSwap and PancakeSwap. With this, the price of aBNBc tokens, which has $300 by yesterday, has turned into dust.
Binance helps to probe the attack
Soon as the news of the Ankr protocol hack spread, crypto exchange Binance jumped in to offer help in probing the attack. Binance chief Changpeng Zhao informed the exchange to pause withdrawals a few hours ago. Besides, they have also frozen $3 million moved by the hacker to Binance. In his tweet earlier today, CZ wrote:
Possible hacks on Ankr and Hay. Initial analysis is developer private key was hacked, and the hacker updated the smart contract to a more malicious one. Binance paused withdrawals a few hrs ago. Also froze about $3m that hackers move to our CEX.
It was just recently that BNB Chain introduced a liquid staking feature via Ankr. This allowed users to earn interest by assigning their BNB tokens to the liquid staking contract and in return receive aBNBc.
The crypto exchange has also ensured that all Binance users aren’t affected by this chaos. “This is not an attack against #Binance, and your funds are SAFU on our exchange,” the exchange said.
Ankr to Purchase $5 Million Worth of BNB
Ankr has swept in to do the damage control after assessing the actual loss. The protocol has also decided to compensate all the affected users. It said:
Subscribe to our daily newsletter!
No spam, no lies, only insights. You can unsubscribe at any time.
Ankr will purchase 5m worth of BNB and use this to compensate in totality the liquidity providers that have been affected by the exploit due to the drainage of the liquidity pool. We will take a snapshot and reissue ankrBNB to all valid aBNBc holders before the exploit. The ankrBNB token will continue to be redeemable, while aBNBc and aBNBb will no longer be redeemable.