How Attackers Made $15M From Staking Platform Helio After Ankr Exploit

A delay in updating price data on BNB-related derivative tokens allowed some exploiters to piggyback off a previous attack.

AccessTimeIconDec 2, 2022 at 1:25 p.m. UTC
Updated Dec 2, 2022 at 3:39 p.m. UTC

An unknown group of attackers were able to drain some $15 million in liquidity from BNB Chain-based staking platform Helio on Friday morning after exploiting an oracle issue on the protocol, on-chain data shows.

HAY's staking pools continue to hold some $19 million in liquidity. (Helio)
HAY's staking pools continue to hold some $19 million in liquidity. (Helio)

Oracles are third-party services that fetch data from outside sources to within a certain blockchain. Oracles are extensively used by decentralized finance (DeFi) protocols to ensure their lending, borrowing and other services are accurate. Delays, however, could mean the loss of funds as malicious traders take advantage of price differences.

The Helio exploit came hours after the DeFi Ankr was attacked for $5 million. The Ankr attacker was able to mint 6 quadrillion aBNBc tokens, which they eventually turned into roughly 5 million USDC, as CoinDesk reported.

The Ankr exploit caused the prices of aBNBc tokens to plunge 99% in the minutes following the attack, setting the base for the second exploit on Helio. It is unclear at writing time if both the attacks were conducted by the same attacker or group of attackers.

Blockchain data shows that the Helio attacker acquired some 183,000 aBNBc tokens with 10 BNB during Asian morning hours on Friday. Delayed oracle data on Helio then allowed the attacker to borrow $16 million worth of HAY stablecoin.

The illicitly gained HAY was then swapped for 15 million Binance USD (BUSD), blockchain data cited by security firms BlockSec and PeckShield shows.

The HAY staking pool continues to hold some $19 million in locked funds, with developers stating in European afternoon hours that staked funds remained safe. Helio said in a separate tweet that it was working to mitigate the ongoing situation and asked users to avoid transacting in HAY.

Meanwhile, Binance froze some $3 million linked to the attack that were allegedly moved by the attackers to the exchange, founder Changpeng Zhao said in a Friday tweet.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.

Read more about