In a shocking turn of events, the Ankr aBNBc contract was recently attacked, resulting in the creation of an additional 10 trillion aBNBc tokens. This is particularly concerning because BNB Chain had recently launched the liquid staking feature, which allowed users to earn interest by staking their BNB tokens to the liquid staking agreement and receiving aBNBc tokens in return. The attack happened in the following transaction: https://bscscan.com/address/0xf3a465c9fa6663ff50794c698f600faa4b05c777
Quick Summary:
- Ankr aBNBc contract was attacked, resulting in the creation of 10 trillion additional aBNBc tokens.
- Ankr announced they would purchase 5 million BNB worth of tokens to compensate the liquidity providers.
- Tornado Cash is being used to launder the stolen funds
- Ankr had previously received an Audit from Peckshield warning about a “trust issue of Admin Keys”, which had the potential to be used for privileged minting of aBNB tokens.
- Companies must take security warnings seriously and address any potential vulnerabilities as soon as possible to avoid catastrophic financial losses and reputational damage.
What is the Ankr Platform
Ankr is a blockchain-based cross-chain infrastructure with a DeFi platform that enables staking and dApp development, and was designed and developed with the goal of creating a decentralized, private, and secure internet. Through the Stkr protocol, users are able to stake Ethereum (ETH) in return for aETH, which represents the future gains on their deposited staking balance. With their mainnet launched in 2019, users can deploy development nodes and build dApps on the network, or deploy staking nodes and become stakers on the ANKR Web3 platform.
What happened with the exploit
The Ankr Exploiter was able to transfer 900 BNB into Tornado Cash, which caused the price of aBNBc to drop by 99.5%. In response to this security breach, Ankr announced that they would purchase 5 million BNB worth of tokens and use them to compensate the liquidity providers. Additionally, they plan to take a snapshot and reissue ankrBNB to all valid aBNBc holders before the exploit.
Tornado Cash is an Ethereum-based noncustodial privacy platform that provides users with the ability to deposit and withdraw ERC-20 tokens and ETH without revealing the source of the funds. A secret hash is generated by the protocol whenever a user deposits funds into the liquidity pools and this hash is used to prove ownership when they wish to withdraw. This ensures that the source of the funds is untraceable, providing total asset privacy. In 2020, ownership of Tornado Cash was transferred to its community, making it a fully decentralized protocol. As such, no one individual or entity has control over it, thereby ensuring that users can use the protocol in complete confidence that their privacy is secure.
This incident serves as a reminder that having an audit does not guarantee security. Ankr had previously received an Audit from Peckshield warning about the ‘trust issue of Admin Keys’, which had the potential to be used for privileged minting of aBNB tokens. Despite this warning, the team “Confirmed” the warning but failed to address the underlying issue.
As this incident demonstrates, it is essential that companies take security warnings seriously and address any potential vulnerabilities as soon as possible. Without proper security measures in place, companies risk potentially catastrophic financial losses and reputational damage. It is therefore important that companies regularly review their security protocols and remain vigilant against possible threats.