![]() Zellic is a smart contract auditing firm founded by hackers, for hackers. Bridge security is both extremely important and difficult to get right. However, that is not to say all bridges are insecure. Conclusionīridges are sometimes hacked for large amounts of money. At that point BSC becomes a bit of an island. After they deplete all of the existing liquidity that ties BSC to other chains, you can’t really get any more value off of BSC. The issue is that those Ethereum-side tokens you receive originally belonged to someone else, who was supplying liquidity to that BSC-Ethereum bridge the hacker used.Īs a second note, this also effectively dampens the amount of value that can be extracted from a hack like this. No matter what happens on the BSC side–even if they “roll back” the entire blockchain–you have tokens on the Ethereum side which are going to be much more difficult to freeze or obstruct. As you dump your hacked (soon to be frozen/blacklisted/whatever) tokens onto the BSC side of the bridge, you receive an equivalent amount of tokens on the Ethereum side of the bridge. Suppose there is a bridge that goes between the BSC and Ethereum chains. Note that this poses a challenge because when hacked funds are moved off-chain, it effectively makes any ‘claw-backs’ or reversals impossible. NOTE that these other bridges were NOT hacked, they were just used as part of the hacker’s exit strategy. This is because the hacker probably knew that it’s not likely that other chains would be frozen when BSC is hacked (other chains don’t really have an incentive to cooperate). So after hacking the Binance Bridge, the attacker then went to other bridges to try to convert his hacked BNB proceeds on BSC to other chains. The typical way one would transfer funds among different blockchains are bridges. The hacker likely knew that BSC would be halted/frozen after such a massive hack, so they knew they had to transfer as much value off of BSC as quickly as possible. All of these tokens are still on the Binance Smart Chain. Now that the hacker has all of this BNB token, they are not done yet. They use ICS23 which we currently believe is not affected. However, Cosmos (thankfully) doesn’t use IAVL for validation now. The IAVL code seems to have been a part of Cosmos SDK. Armed with the capability to have arbitrary messages they forge accepted, the hacker then submitted two fraudulent withdrawals. However, the attacker found a flaw in the IAVL verification routine, which allows him to trick the IAVL tree into accepting arbitrary messages. For instance, under normal circumstances, the IAVL tree is supposed to reject a hacker’s message to fraudulently withdraw 1,000,000 BNB. This IAVL tree is responsible for enforcing/checking the validity of messages sent to the Binance bridge. This code actually lives in a library, but it is part of the BSC L1 (it’s a precompile). This functionality was a merkelized IAVL tree. What’s currently believed is that this exploit essentially exploited a flaw in a custom functionality built into BSC. BSC was worth about $300, so this was about $600M. The hacker convinced the Binance Bridge to send them 1,000,000 BNB two times. ![]() The Binance Bridge provides liquidity to BSC. ![]() What is known is that the hack took place on a blockchain called BSC, or Binance Smart Chain. Also, thanks to Sam for helping fact-check this. My goal here is to make it as accessible as possible for laypeople and easy to understand. NOTE: Big credit to samczsun who did a lot of the initial investigation on this.Ī nontrivial part of this is paraphrased from his thread. On BSC, the Binance Bridge is a bridge between the Beacon Chain and the Tendermint Chain. However, only about ~$100M of value was ultimately bridged out. At the time, BNB was worth about $300, so the total notional value of tokens stolen was $600M. The Binance Bridge on BSC (Binance Smart Chain) was hacked today for 2,000,000 BNB.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |