Cointime staff: Ankr, a decentralized finance (DeFi) protocol on the BNB chain, has been hit with a $5 million exploit. A total of 10 trillion aBNBc was minted and later swapped by the attacker for 4,050,500 USDC and 5,000 BNB tokens. Ankr announced that they will use reserves to compensate liquidity providers for the aBNBc pools.
The aBNBc Token Report: Security Updates Applied & Compensation for Affected LPs
Ankr identified a hack on Dec. 1st, in which malicious actors accessed the developer private key and altered the smart contract for our BNB liquid staking token (aBNBc). After internal research and assessment, we estimate the damage to be $5m worth of BNB across liquidity pools in various DEXes. Ankr has already restored security and will promptly compensate affected liquidity providers.
“Thanks to the fast actions from the Ankr team and various protocols, we were able to minimize any damage done extremely quickly. Hacks and exploits from bad actors like this are an unfortunate possibility in Web3, even with every attention to detail in security processes – but we were well prepared. Unlike previous events in the space this year, we are doing the right thing by our community and ensuring that this is taken care of immediately with lost funds restored.”
– Chandler Song, Co-Founder & CEO, Ankr
What happened?
The exploiter was able to leverage the smart contract for the aBNBc token to create an infinite amount of this token and then exchange it for USDC. The aBNBc token represents a staked version of Binance's BNB token that earns rewards from validation efforts.
The aBNBb smart contract was safe from third-party minting prior to the attack, however, the attacker was able to obtain access to the deployer key. The attacker then uploaded a new aBNBb contract that included an extra method to mint without authorization checks. The attacker minted an excess of aBNBb out of thin air and rapidly moved to swap it out for other tokens on decentralized exchanges.
The address 0xf3a used the infinite mint bug in Ankr's contract code to mint a total of 60 trillion aBNBc across 6 different transactions. The attacker was able to swap some for the stablecoin USDC and began moving them off of the Binance Smart Chain and onto Ethereum before the transactions were flagged. The Ankr team confirmed that the losses incurred are in the region of $5 million in BNB. No other liquid staking tokens or Ankr products have been affected. Likewise, Ankr’s validators, RPC API, and AppChain services continue to operate without any disruptions.
As this occurred, Ankr simultaneously:
- Alerted known off-ramps to implement their emergency plans (minimum: halt trading)
- Secured the smart contracts with a new key to prevent any further tampering.
- Updated smart contracts and systems to temporarily pause the movement of the underlying collateral (BNB) to be safe.
What are the next steps for Ankr?
The team at Ankr is working hard to resolve this issue completely and efficiently. We have taken the necessary steps to offset the loss of funds and resolve the attack.
- We are identifying all those who provided liquidity to DEXes and all protocols supporting aBNBc or aBNBb LP, as well as aBNBc collateral pools (Midas, Helio) and we will notify all affected parties.
- Ankr will purchase $5 million worth of BNB and use this to compensate the liquidity providers that have been affected by the exploit due to the drainage of liquidity pools. We understand diluted aBNBc was speculatively traded after the exploit occurred, but we are only able to compensate LP’s caught off guard by the event.
- We are discontinuing aBNBc and aBNBb tokens effective immediately, and new ankrBNB tokens will be minted and airdropped to affected aBNBc and aBNBb users.
- We will use a snapshot and airdrop the newly-released ankrBNB tokens to all valid aBNBc holders before the snapshot. User collateral is safe with all of BNB collateral.
What should you do as a user?
To mitigate risks, Ankr is issuing the following guidelines for liquidity providers:
- Do not trade aBNBc or speculatively buy it at a discount.
- Remove liquidity from DEXes if you are a liquidity provider (and retain the aBNBc token).
- Our snapshot taken on Dec-02-2022 12:43:18 AM +UTC will identify you if you are an affected LP.
- Wait for the ankrBNB airdrop, which will be proportional to the amount of aBNBc and aBNBb that you held. ankrBNB will be redeemable against staked BNB.
This action plan allows the team at Ankr to more rapidly restore value to legitimate token holders while also accelerating the planned migration to an upgraded contract.
At this stage, all necessary precautions are being taken to promptly resolve the situation and restore lost capital. As mentioned, Ankr will purchase $5m worth of BNB to compensate previous liquidity providers that have been affected by the exploit due to the drainage of liquidity pools.
Ankr understands the concern this has created within the community and will continue working to mitigate the situation and prevent future similar incidents.
Please note that, at this time, all user funds and underlying staked assets are safe. All aBNB users will retain their positions from before, including staked LP Tokens in Farms and accumulation of rewards during that time for doing so.
All Comments