Hacker attack! 2 million BNBs of Coin Security Chain were stolen, resulting in a loss of over 700 million yuan

Reported by Lu Mengxue and Ran Xuedong from China Times (www.chinatimes

Reported by Lu Mengxue and Ran Xuedong from China Times (www.chinatimes. net. cn) in Beijing

Coin circle reappears hacker attacks, and the protagonist of this incident is the smart contract platform BNBChain.

On the early morning of October 7th Beijing time, the smart contract platform BNBChain was attacked by hackers, and in just 2 hours, 2 million coins were looted. Subsequently, Zhao Changpeng, CEO of Coin An, stated on social media that the current estimated amount of damage is $100 million (approximately RMB 710 million).

Today's event is a challenge for BNBChain on the path of decentralization. "On October 8th, the BNBChain community responded to a reporter from China Times, stating that" the development of cross chain bridge technology is in its early stages, and we believe that only by identifying problems can problems be solved. "Nevertheless, the BNBChain community also stated that BNBChain will continue to develop on the path of decentralization, including adding more verification nodes.

2 million BNBs stolen

This issue is currently under control and the client's funds are secure. We deeply apologize for any inconvenience caused to investors and will provide further system updates in the future. "Zhao Changpeng, CEO of Coin An, said on social media after the attack.

According to media reports, on the early morning of October 7th, BNBChain was attacked by hackers and 2 million coins were looted. Regarding this, BNBChain stated on social media that due to abnormal activity, it is currently under maintenance and temporarily suspends all access transactions through BNBChain until further updates are available.

BSC validators are coordinating to enable the latest version within an hour, first to prevent actions between hacker accounts, and second to disable native cross chain communication between BNBBeconChain and BNBSmartChain. "On October 8th, the BNBChain community responded to a reporter from the China Times and is requesting all node operators to try upgrading to the latest version mentioned above, Verifiers and the community will also discuss further upgrades to completely address this situation.

According to the BNBChain community, the incident originated from an attack by hackers on the cross chain bridge BSCTokenHub, resulting in the issuance of more BNBs. The initial estimate of funds extracted by hackers from BSC is between $70 million and $80 million. "We have requested all validators to suspend the operation of BSC, and through the joint efforts of the BNB community and multiple security partners, an estimated $7 million has been frozen

The reason why the customer's funds are secure is, on the one hand, because the chain stopped and the additional coins were deleted; on the other hand, the outflow of funds has been locked and cannot be traded, so it is actually an invalid attack and has limited impact on the market. "A blockchain technology security personnel analyzed to a reporter from China Times.

It is reported that BNBChain was originally named BSC (Coin Security Smart Chain). In the early days of BSC public chain, BinanceSmartChain was named, and BinanceSmartChain participated in both BinanceChain and BinanceSmart Chain BSC. The former was launched in April 2019 and mainly opened a decentralized exchange BinanceDex; The latter was launched in September 2020 and supports the function of writing smart contracts. In February 2022, Coin An announced that the original Coin An Intelligent Chain (BSC) would be renamed BNBChain. At the same time, BNB is the platform currency of Coin An Exchange and the ecological token of Coin An Intelligent Chain. As of press release, the BNB price is approximately $281.

Frequent hacker attacks

DeFi is a high-risk area for hacker attacks.

According to a report released by Chainalysis, in 2021, attackers stole a total of $3.2 billion in cryptocurrency from investors. According to statistics from TheBlock Research, there were also 15 hacking attacks targeting the DeFi platform in 2020, with stolen funds of up to $120 million and only $45.6 million recovered.

In March of this year, the well-known blockchain game AxieInfinity's Ethereum side chain RoninNetwork was hacked, causing a loss of approximately $625 million (173600 Ethereum and 25.5 million USDC), making it the largest DeFi hacking attack in history.

Since 2020, the DeFi project has achieved rapid development, and at the same time, it has also attracted frequent attention due to safety issues. Jiang Jinze, a senior analyst at Coin Security Research Institute, believes in an interview with a reporter from China Times that there are mainly 7 common security issues in DeFi projects, including mechanism defects; Code logic vulnerabilities; Third party code library/service vulnerabilities (including communication security); Private key leakage or phishing attack; Insufficient internal risk control; The project party subjectively engages in wrongdoing, donates money, and runs away; Security impacts caused by market participants (such as scientists running away, sandwich attacks, flash loan attacks, etc.).

The reason why DeFi projects are frequently targeted by hackers is analyzed by Dr. Song Shuangjie, Chairman of MuseLabs, in an interview with a reporter from China Times. On the one hand, DeFi projects often involve high amounts of money and have high potential profits from attacks; On the other hand, the DeFi protocol is fragile, and almost all of it revolves around financial construction. Since its development for one or two years, DeFi protocols such as trading and lending have been nested within each other, infinitely amplifying risks. At the same time, DeFi is also intertwined with on chain products such as NFT and Metaverse, and the complexity of the entire ecosystem has sharply increased, making it extremely difficult to grasp the risks contained inside and outside the system; In addition, due to the anonymity and openness of DeFi, access review is often not conducted, making it difficult to identify the identity of hackers, which makes it attractive to hackers and low attack cost.

Moreover, DeFi has almost no 'regulation'. Even if the true identity of anonymous attackers is locked down through technology, it is difficult to impose any punishment on the attackers at present, so the cost of hacker attacks is too low. Even if the attack is discovered, there is almost no loss. What is even more terrifying is that some countries have systematically formed their own hacker teams, forming large-scale and long-term attacks on the DeFi protocol, "said Song Shuangjie.

With the development of the DeFi project, compared to early blockchain applications, the complexity of the DeFi project has significantly increased. Jiang Jinze believes that as DeFi deepens, this complexity will further increase, and the probability of software vulnerabilities is proportional to the square of complexity.

The flaws in the project's own design are difficult to completely eliminate, and attacks caused by contract vulnerabilities are the main source of large-scale security incidents. Especially, there is a contradiction between excessive permissions in smart contracts and the pursuit of efficiency, making it difficult to achieve both. "Jiang Jinze analyzed that from the perspective of the security incident in Coin Chain, the problem is that the Cross Chain Bridge app can independently lend money to another chain based on deposits received on one chain, If large-scale manual audits or delayed releases are added for safety reasons, it will inevitably affect efficiency.

But at the same time, it should be noted that Jiang Jinze pointed out that the original intention of some permission vulnerabilities is also to protect users, such as granting project parties permission to autonomously modify contracts for relevant governance and risk emergency measures when problems are discovered. "If such permission is removed, it may not be better