DeFi Protocol Ankr to Reimburse Users Affected by $5M Exploit
The attacker was able to mint 6 quadrillion aBNBc tokens, which was eventually turned into roughly 5 million USDC.
Dec 2, 2022 at 6:08 a.m. UTC
/arc-photo-coindesk/arc2-prod/public/LXF2COBSKBCNHNRE3WTK2BZ7GE.png)
Decentralized finance (DeFi) protocol Ankr said it will reimburse the users impacted by the $5 million exploit that occurred on its platform earlier Friday.
"We will take a snapshot and reissue ankrBNB to all valid aBNBc holders before the exploit. The ankrBNB token will continue to be redeemable, while aBNBc and aBNBb will no longer be redeemable," Ankr said in a tweet after the exploit.
Ankr, which called itself the first "node-as-a-service" platform, had suffered the multimillion-dollar exploit due to a bug in its code that allowed for unlimited minting of its token.
After minting the quadrillions of aBNBc token, the attacker was able to swap 20 trillion of them for BNB, then move those to crypto mixer Tornado Cash. The attacker then swapped the BNB tokens for 5 million USDC.
Because the hacker almost completely drained the aBNBc liquidity pools on PancakeSwap and ApeSwap, the token lost nearly 99% of its value, according to CoinGecko data.
According to security research firm PeckShield, the code behind the Ankr contract allows any user to mint an unlimited amount of the protocol’s reward-bearing staking tokens without any sort of verification. This allowed the attacker to mint six quadrillion of the aBNBc token.
Ankr tweeted that all staked assets within the protocol are currently safe. Binance CEO Changpeng Zhao tweeted that his exchange had frozen $3 million that had been sent to his exchange by the hackers.
:format(webp)/cloudfront-us-east-1.images.arcpublishing.com/coindesk/Q5AKAHZWZJCLLHOYVOJZLTPOKQ.jpg)
Secondary exploit
On-chain analyst firm Lookonchain reported that one opportunistic trader was able to cash in on the exploit and turn 10 BNB ($2,885) into 15.5 million BUSD. The trader did this by taking advantage of DeFi lending protocol Helio, which did not have up-to-date pricing on aBNBc post-crash.
The trader was also able to use the pre-crash pricing for aBNBc to borrow $16 million of the little-traded HAY stablecoin and convert that into BUSD. Since then, the HAY stablecoin has been tossed off its peg, hitting a low of 20 cents, and is now recovering, according to CoinMarketCap, with a price of 77 cents.
UPDATE (Dec. 2, 07:35 UTC): Added comment from Binance's CEO.
UPDATE (Dec. 2, 12:49 UTC): Updates headline and story to include Ankr response, new details.
Disclosure
Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.
:format(webp)/s3.amazonaws.com/arc-authors/coindesk/ff7c302f-d3ab-4905-92e1-2f7f5106d13c.png)
Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.