Ankr, a decentralized finance (DeFi) protocol based on the BNB Chain network, was the target of a hacker attack early this Friday (02), losing more than US$ 5 million in assets. That is, almost R$ 26 million at the current exchange rate in reais. The attack targeted a token staking product run by Ankr. As analytics platform BlockSec reported, the hacker took advantage of a vulnerability in Ankr’s smart contract for aBNBc tokens (Ankr Reward Bearing Stake BNB), a reward token tied to the price of Binance’s BNB token. The hacker minted quadrillions of aBNBc tokens, of which 20 trillion were exchanged for BNB. As a result, the price of the digital asset aBNBc fell 99.5%, from BRL 1,690 to BRL 7.93, according to data from CoinGecko.
aBNBc token price chart. Source: CoinGecko In the face of this attack, Binance CEO Changpeng Zhao (CZ) announced on his Twitter account that the cryptocurrency exchange had temporarily paused withdrawals. In addition, he reported that the brokerage froze a good part of the assets that the hacker moved to the exchange: “The initial analysis is that the developer’s private key was hacked and the hacker updated the smart contract to a more malicious one”, he wrote CZ. “Binance stopped withdrawals a few hours ago. It also froze about $3 million that hackers moved to our CEX.” According to CZ, the original smart contract seems to be ok. However, he explained that once a hacker obtains the developer’s private key, he is able to update the smart contract.
Ankr Protocol Attack
Ankr is a protocol that allows users to stake their tokens more easily, without having to buy the necessary hardware. The Ankr team confirmed the attack on their Twitter account: “The Ankr team has assessed the damage and it is a maximum of 5 million USD in BNB from the liquidity pools. We are currently working hard to resolve this issue efficiently,” they said. The Ankr team presented a proposal to refund affected users. The idea of the protocol is to re-issue a new token called ankrBNB, which would be distributed to pre-hack aBNBc holders. Furthermore, Ankr would also buy $5 million worth of BNB tokens to compensate the liquidity providers. “The ankrBNB token will remain redeemable, while aBNBc and aBNBb will no longer be redeemable,” the team explained.
Attack on the Helio Protocol
As the price of the aBNBc token dropped by more than 99%, this opened the door for a second attack. Someone acquired around 183,000 aBNBc tokens with 10 BNB, according to BlockSec. Then, the attacker deposited the tokens into Helio Protocol, a stablecoin issuer based on BNB Chain, to drain the funds. The attacker was able to borrow $16 million in HAY stablecoin with a small amount of aBNBc collateral, as the oracle system used by Helio was unable to update aBNBc prices after the rapid drop. Ultimately, the hacker exchanged his HAY stablecoin for $15 million in Binance USD (BUSD), resulting in a massive loss for the protocol. As reported by BlockSec, $15 million of funds stolen in the second attack were transferred to Binance.
