Complete Analysis of the Process of Hackers Stealing 2 Million BNB Coins from Security Chain

Event Review: Coin Security Chain Encounters the Largest Hacker Attack in HistoryOn the early morning of October 7th, BNBChain was attacked by hackers, involving a total amount of $700 million, including $570 million in BNB. According to Zhao Changpeng, the founder of Coin An, the main reason for the "attack" that shook the entire industry was a vulnerability on the TokenHub, a cross chain bridge

Event Review: Coin Security Chain Encounters the Largest Hacker Attack in History

On the early morning of October 7th, BNBChain was attacked by hackers, involving a total amount of $700 million, including $570 million in BNB. According to Zhao Changpeng, the founder of Coin An, the main reason for the "attack" that shook the entire industry was a vulnerability on the TokenHub, a cross chain bridge.

Regarding this matter, Golden Finance has organized the entire "attack" incident for everyone to watch, and invited the Beosin security team to analyze the tactics.

The attack method is as follows:

When conducting cross chain transaction verification, the Coin An Cross Chain Bridge BSCTokenHub uses a special precompiled contract to verify the IAVL tree. And there is a vulnerability in this implementation, which may allow attackers to forge arbitrary messages.

1) The attacker first selects the hash value of a successfully submitted block (specified block: 110217401)

2) Then construct an attack payload to validate the leaf nodes on the IAVL tree

3) Add an arbitrary new leaf node to the IAVL tree

4) At the same time, add a blank internal node to meet the implementation proof

5) Adjust the leaf nodes added in step 3 so that the calculated root hash is equal to the correct root hash selected for successful submission in step 1

6) The final withdrawal proof for this specific block (110217401) was constructed, and BeosinTrace is tracking the stolen funds in real-time.

The event timeline is as follows:

October 7th 00:55

The hacker registered as a Layer by calling the contract and paying 100BNB at block height 21955968.

2: 26-4:43

The hacker obtained a total of 2 million BNBs from the TokenHub system contract of BNBChain in two installments (2:26, 4:43).

And 900000 BNBs were mortgaged on the BNBChain loan agreement Venus, lending 62.5 million BUSD, 50 million USDT, and 35 million USDC. In addition, according to independent analysts on the social media account CIAOfficer, the hacker attack currently includes 1.04 million BNBs, $389 million venusBNBs, and $28 million BUSD, totaling $718 million. This amount is the largest on chain attack in history.


5:48


0x489a8756c18c0b8b24ec2a2b9ff3d447f79bec) is blacklisted, and the attacker also holds ETHs of over $45 million.


6: 19-6:35

BNBChain tweeted that due to abnormal activity, maintenance is currently underway and all deposits and withdrawals through the BNB chain are temporarily suspended until further updates are made. We have suspended BNBChain after identifying potential vulnerabilities, and all systems are now under control. We are investigating potential vulnerabilities and we know that the community will assist in freezing any transfers. BNBChain stated in another tweet that approximately $70 million to $80 million in funds have been withdrawn and $7 million has been frozen. It is reported that this hacker attack resulted in the theft of approximately $718 million worth of assets, including 2 million BNBs.


7:51

Coin Security CEO Zhao Changpeng tweeted that a vulnerability in the Token Hub of the BNBChain cross chain bridge has resulted in additional BNB, and all validators have been requested to temporarily suspend BNBChain. This issue has now been controlled and the funds are secure, and further updates will be provided accordingly.


8:47

Paradigm researcher Samczsun posted on social media that on chain data and related code indicate a bug in the BSC cross chain bridge verification method, which may allow attackers to forge arbitrary messages. In this attack, the attacker forged information and passed the verification of the BSC cross chain bridge, causing the cross chain bridge to send 2 million BNBs to the attacker's address.

9:00

Data shows that BNBChain vulnerability attackers use cross chain bridges such as Stargate and Multichain to transfer assets, sending approximately $53.35 million and $48.8 million to Ethereum and Fantom networks, respectively. There are still approximately $430 million on BNBChain.


9:22

BNBChain's official post on social media stated that it has requested BNBChain node validators to contact them within the next few hours in order to plan for node upgrades.


9:29

Zhao Changpeng, the founder of Coin An, tweeted, "We are currently unable to provide a specific expected upgrade time. Coin An will give developers time to fully understand the root cause of this incident, implement repairs, and conduct in-depth testing before continuing


9:45

SlowMist posted on social media stating that it has monitored the interaction between the hacker address in the BNBChain theft case and multiple dApps, including Multichain, VenusProtocol, AlpacaFinance, Stargate, Curve, Uniswap, TraderJoe, PancakeSwap, SushiSwap, etc.

In addition, the hacker transferred to the relevant address on the Avalanche chain (1729320 USDTs) or has been blacklisted, but the address transferred to Arbitrum (2000000 USDTs) has not been temporarily listed.


11:30

According to the monitoring of the security team of the Euke Cloud Chain Guard, as of the current time, the hacker's address has a balance of 1.02 million BNBs, 41.28 million vBNBs, 28.81 million BUSDs, and 2.77 million USDTs. Calculated at current market prices, the cumulative value exceeds 700 million US dollars. The loss from this hacking incident exceeded Ronin Network's previous loss of $620 million, making it the highest amount of money hacked so far.

The hacker in this case used the ChangeNOW service to transfer the initial attack funds (over 100 BNBs) to the BSC chain as early as October 6th. Subsequently, the hacker registered by calling the system LayerHub contract 0x1006, and then launched an attack on the system CrossChain contract 0x2000.


13:02

BNBChain tweeted that BSCv1.1.15 has been released, and BSC validators are coordinating to seek the restoration of BNB Smart Chain (BSC) within 1 hour. The new version will prevent hacker account related activities. Native cross chain communication between BNB beacon chain and BNB smart chain has been disabled. The official requirement is that all node operators attempt to upgrade to the above version. Verifiers and the community will discuss further upgrades to fully address this issue.


14:53

BNBChain tweeted that BNB Smart Chain (BSC) started operating well over 20 minutes ago. The validators are confirming their status, and the community infrastructure is also being upgraded.

Transferred from Golden Finance Shanopa

Disclaimer: The content of this article is sourced from the internet. The copyright of the text, images, and other materials belongs to the original author. The platform reprints the materials for the purpose of conveying more information. The content of the article is for reference and learning only, and should not be used for commercial purposes. If it infringes on your legitimate rights and interests, please contact us promptly and we will handle it as soon as possible! We respect copyright and are committed to protecting it. Thank you for sharing.(Email:[email protected])

Previous 2024-12-22
Next 2024-12-22

Guess you like