Hacker steals $566 million from Binance Bridge using proof-forgery exploit
An exploit discovered in the exchange platform's proof verifier let the hacker take 2m BNB without raising alarm bells
Cryptocurrency exchange platform Binance has reported a theft of $566 million of Binance Coin (BNB) tokens.
An unidentified user exploited a vulnerability to release two payments of 1 million BNB token directly to their account, the company confirmed. The transfers were made at 18:26 and 20:43 UTC respectively.
Binance quickly froze its Smart Chain (BSC) to keep the funds from being deposited off-chain, but is believed to have already stolen between $100-110 million by the time that action was taken.
“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologise for the inconvenience and will provide further updates accordingly,” tweeted Changpeng Zhao, CEO of Binance.
Online researchers speculated that the hacker was able to forge a ‘proof’ to validate the transfer of the funds, as their methodology was sophisticated enough to avoid detection for some hours after the transfers had been made.
“In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages,” said one web3 researcher, who goes by the alias of samczsun, in a tweet. "Fortunately, the attacker here only forged two messages, but the damage could have been far worse."
This hypothesis has since been confirmed in a Reddit thread by a Binance developer, who stated that “the exploit was through a sophisticated forging of the low-level proof into one common library.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"The blockchain ecosystem contains many technologies besides the core blockchain," said Oded Vanunu, head of products vulnerability research at Check Point. "Some of the technologies that support the ecosystems are Bridges which are responsible to transfer data between blockchain networks and Oracles that are responsible for delivering data from the internet to the smart contracts.
The future of work is already here. Now’s the time to secure it.
Robust security to protect and enable your business
"Hacking groups are making big efforts in the last year to hack these “injections” points that connect networks and are looking for vulnerabilities mainly in the smart contracts and platforms assets such as bridges," he added. "Once hackers manage to exploit vulnerabilities on the platforms or on the ecosystem, they have direct access in the context of the blockchain networks and this is why we see major hacks.
"In our opinion, this is going to continue to happen and we expect blockchain vendors to make sure they secure every layer in their blockchain networks, application logic layers & actual blockchain infrastructures."
When cryptocurrency is created and added to the blockchain, it must be verified as legitimate - ‘proof’ refers to the consensus mechanisms in place to carry this out, typically either ‘proof of work’ or ‘proof of stake’.
In proof of work, crypto miners solve mathematical problems to trade computational power or energy in exchange for coins worth a set value. The ‘solved’ problem is itself its own proof of validation, added to the blockchain to ensure that the number of coins within the system remains fixed. It is used by cryptocurrencies such as Bitcoin.
Proof of stake, the validation method used by BNB, selects users as ‘validators’ to stake their coins as capital and check new blockchain data to ensure that it passes verification. In return, validators are given fresh coins.
The blockchain is billed as more secure than conventional investment platforms, but concerns remain over how safe cryptocurrencies are.
Web3 projects have already lost more than $2 billion to hacks and exploits in 2022, with hacks such as the recent $4 million theft of Solana and USD Coin from Slope wallets.
"Last year, a total of $2.74 billion was lost across 132 separate incidents," said Rebecca Moody, head of data research at Comparitech. "With 129 attacks and counting, 2022 looks set to be an unprecedented year for crypto heists with record-breaking amounts stolen despite the drop in value across many cryptos."
Amidst the attacks, more money than ever at risk as inflation drives greater numbers to invest in cryptocurrencies. In 2021, the Financial Conduct Authority issued a warning that those investing in Bitcoin “should be prepared to lose all their money”.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.