A complete analysis of how hackers stole 2 million BNB from Binance Chain

"Event Review" Binance Chain suffered the largest hacker attack in history

In the early morning of October 7, BNB Chain was attacked by hackers, with the total amount involved reaching US$700 million, including US$570 million of BNB. According to Binance founder Zhao Changpeng, the main reason for this "attack" that shocked the entire industry was a vulnerability in the cross-chain bridge "Token Hub".

Regarding this matter, Golden Finance has organized the entire "attack" incident for everyone to watch, and also invited the Beosin security team to analyze the methods.

The attack method is as follows:

Binance cross-chain bridge BSC Token Hub uses a special precompiled contract to verify the IAVL tree when verifying cross-chain transactions. However, this implementation has a vulnerability that may allow attackers to forge arbitrary messages.

1) The attacker first selects a hash value of a successfully submitted block (specified block: 110217401)

2) Then construct an attack payload to verify the leaf node on the IAVL tree

3) Add an arbitrary new leaf node to the IAVL tree

4) At the same time, add a blank internal node to satisfy the implementation proof

5) Adjust the leaf node added in step 3 so that the calculated root hash is equal to the correct root hash selected in step 1 for successful submission

6) Finally, a withdrawal proof for this specific block (110217401) is constructed. Beosin Trace is tracking the stolen funds in real time.

The timeline of events is as follows:

October 7, 00:55

The hacker paid 100 BNB to register as a Relayer by calling the contract at block height 21955968.

2:26~4:43

The hacker obtained a total of 2 million BNB from the BNB Chain's "TokenHub" system contract in two batches (2:26 and 4:43).

900,000 BNBs were used as collateral on the BNB Chain lending protocol Venus, lending out 62.5 million BUSD, 50 million USDT, and 35 million USDC. In addition, according to independent analysts on the social media account CIAOfficer, the hacker attack currently includes 1.04 million BNBs, venusBNB worth $389 million, and $28 million BUSD, totaling $718 million. This amount is the largest on-chain attack in history.

5:48

The Block researcher Eden Au tweeted that Tether has blacklisted the BNB Chain attacker address (0x489a8756c18c0b8b24ec2a2b9ff3d4d447f79bec). In addition, the attacker also holds more than $45 million in ETH.

6:19~6:35

BNB Chain tweeted that it is currently undergoing maintenance due to abnormal activity, and temporarily suspends all deposits and withdrawals through the BNB chain until further updates. "We suspended BNB Chain after identifying a potential vulnerability. All systems are now under control. We are investigating the potential vulnerability. We know that the community will assist and help freeze any transfers." BNB Chain said in another tweet that the funds withdrawn were approximately US$70 million to US$80 million, and US$7 million had been frozen. It is reported that the hacker attack resulted in the theft of assets worth approximately US$718 million, including 2 million BNB.

7:51

Binance CEO Changpeng Zhao tweeted that a vulnerability on the BNB Chain cross-chain bridge "Token Hub" resulted in extra BNB, and all validators have been asked to temporarily suspend BNB Chain. The problem is now under control, the funds are safe, and further updates will be provided accordingly.

8:47

Paradigm researcher samczsun posted on social media that on-chain data and related codes show that there is a bug in the verification method of the BSC cross-chain bridge, which may allow attackers to forge arbitrary messages. In this attack, the attacker forged information and passed the verification of the BSC cross-chain bridge, causing the cross-chain bridge to send 2 million BNB to the attacker's address.

9:00

Data shows that the BNB Chain vulnerability attacker used cross-chain bridges such as Stargate and Multichain to transfer assets, sending approximately US$53.35 million and US$48.8 million to the Ethereum and Fantom networks respectively. There is still approximately US$430 million on the BNB Chain.

9:22

BNB Chain officials posted on social media that they have asked BNB Chain node validators to contact them in the next few hours so that node upgrades can be planned.

9:29

Binance founder Zhao Changpeng retweeted and said: “It is not possible to give a specific estimated time for the upgrade for the time being. Binance gives developers time to fully understand the root cause of this incident, implement fixes and conduct in-depth testing before continuing.”

9:45

SlowMist posted on social media that it has monitored that the hacker address of the BNB Chain theft has interacted with multiple dApps, including Multichain, Venus Protocol, Alpaca Finance, Stargate, Curve, Uniswap, Trader Joe, PancakeSwap, SushiSwap, etc.

In addition, the addresses transferred by the hacker to the Avalanche chain (1,729,320 USDT) may have been blacklisted, but the addresses transferred to Arbitrum (2,000,000 USDT) have not been included for the time being.

11:30

According to the monitoring of OKEx Chain Guardian Security Team, as of now, the balance under the hacker's address is 1.02 million BNB, 41.28 million vBNB, 28.81 million BUSD, and 2.77 million USDT, which is worth more than $700 million at the current market price. The loss of this hacker incident exceeds the $620 million of Ronin Network last time, which is the highest amount of hacking so far.

In this case, the hacker used the ChangeNOW service to transfer the initial attack funds (more than 100 BNB) to the BSC chain as early as October 6. The hacker then registered by calling the system RelayerHub contract 0x1006, and then launched an attack on the system CrossChain contract 0x2000.

13:02

BNB Chain tweeted that BSC v1.1.15 has been released and BSC validators are coordinating to restore BNB Smart Chain (BSC) within 1 hour. The new version will prevent activities related to hacker accounts. Native cross-chain communication between BNB Beacon Chain and BNB Smart Chain has been disabled. Officials require all node operators to try to upgrade to the above version. Validators and the community will discuss further upgrades to completely resolve this issue.

14:53

BNB Chain tweeted that BNB Smart Chain (BSC) started running well more than 20 minutes ago. Validators are confirming their status and community infrastructure is also being upgraded.