On December 1st, Ankr discovered a hack in which malicious actors modified the smart contract for its BNB liquid staking token (aBNBc) and altered the developer’s private key. Following Ankr’s own research and analysis, the team has determined that the amount of BNB that was lost across all liquidity pools in different DEXes is around $5 million. Fortunately, Ankr has already addressed the security flaw and will swiftly compensate the liquidity providers that were impacted.
Talking about tackling the token hack, Chandler Song, Co-Founder & CEO, Ankr, said, “Thanks to the fast actions from the Ankr team and various protocols, we were able to minimize any damage done extremely quickly. Hacks and exploits from bad actors like this are an unfortunate possibility in Web3, even with every attention to detail in security processes – but we were well prepared. Unlike previous events in the industry this year, we are doing the right thing by our community and ensuring that this is taken care of immediately with lost funds restored.”
What Exactly Happened?
The exploiter was able to make an infinite supply of the aBNBc token by utilizing the smart contract for this token and then exchanging it for USDC. Binance’s native BNB currency is represented by the aBNBc coin, which is a staked form of BNB that receives rewards from validation efforts. Before the attack, the aBNBb smart contract was protected from third-party minting. Nonetheless, the hacker was able to gain access to the deployer key and use it for their own purposes.
After that, the attacker uploaded a new aBNBb contract, which had a further method to mint without authorization checks being performed. An excessive amount of aBNBb was created out of thin air by the attacker, who then made a hasty effort to trade it in on decentralized exchanges for other tokens. The issue in Ankr’s contract code that allows for an endless number of mints was exploited by the address 0xf3a to mint a total of 60 trillion aBNBc across six separate transactions.
The hacker was successful in exchanging some of the tokens for the stablecoin USDC and started moving them off of the Binance Smart Chain and onto Ethereum before the transactions were identified as suspicious. The Ankr team has validated that the damages that have been incurred are somewhere in the range of $5 million in BNB. There have been no other reports of problems with liquid staking tokens or Ankr products. In a similar vein, the validators, RPC API, and AppChain services that are a part of Ankr are not experiencing any disruptions in their operations.
In addition, Ankr immediately alerted identified off-ramps to apply their emergency procedures (minimum: halt trading) and protected the smart contracts with a new key in order to avoid any further tampering with them. This was done to ensure that the smart contracts would not be altered by exploiters in any way in the future. Additionally, Ankr upgraded its smart contracts and its infrastructure in order to make the movement of the underlying collateral (BNB) momentarily paused for safety purposes.
Ankr’s Next Big Move To Resolve The Issue
The Ankr team is putting forth a lot of effort to find a quick and comprehensive solution to this problem. It has made the appropriate preparations to make up for the loss of finances and to put an end to the attack. Ankr is in the process of identifying everyone who has ever supplied liquidity to DEXes and every protocol that supports aBNBc or aBNBb LP, in addition to aBNBc collateral pools (Midas, Helio), and the team will inform everyone who has been impacted by this.
The amount of $5 million worth of BNB will be purchased by Ankr, and this will be used to reimburse the liquidity providers who have been negatively impacted by the exploit owing to the drainage of liquidity pools. Ankr is aware that diluted aBNBc was traded speculatively after the exploit took place. However, the only investors Ankr is allowed to recompense are those who were taken off guard by the event.
New ankrBNB tokens will be created and airdropped to users who were previously holding aBNBc or aBNBb tokens. Ankr stated that this change will take effect immediately. In addition, aBNBc and aBNBb tokens will be discontinued. A snapshot will be taken, and the newly issued ankrBNB tokens will be distributed via airdrop to all legitimate aBNBc holders before the snapshot. User collateral is kept in the same secure location as any other BNB collateral.
Ankr’s Important Guidelines For Users
Ankr is providing some particular guidelines for liquidity providers in order to reduce the potential for risk. This includes not trading aBNBc or buying it at a discount for speculative purposes, as well as withdrawing liquidity from DEXes if you are a liquidity supplier and retaining the aBNBc token. In addition, if you are an affected LP, Ankr’s snapshot was taken on December 2, 2022, at 12:43:18 AM +UTC and it will be able to identify you.
Users of Ankr are strongly encouraged to wait for the ankrBNB airdrop, which will be distributed in proportion to the quantity of aBNBc and aBNBb that the user possessed. ankrBNB will be redeemed for staked BNB in the near future. Thanks to this action plan, the Ankr team will be able to quickly restore value to authentic token holders, and they will also be able to accelerate the migration to an improved contract that was previously anticipated.
At this point, all of the required safety procedures are being taken by Ankr in order to quickly fix the situation and restore any capital that may have been lost. As previously mentioned, Ankr would acquire $5 million worth of BNB in order to repay previous liquidity providers who have been impacted by the attack due to the draining of liquidity pools. In addition, Ankr is aware of the concerns that have been raised by this among the community, and the platform will carry on with its efforts to both alleviate those concerns and prevent future events of a similar nature.
In the end, Ankr wants the users to understand that all user funds as well as the underlying staked assets are secure at this moment. The platform has reassured that all aBNB users will keep the positions they had before the token hack, including any LP Tokens they had placed in Farms and any incentives they had collected during that period of time for doing so. Being a user-friendly platform, Ankr prioritizes users’ safety and the platform is committed to resolving the issue and preventing such incidents in the future.
