Cyber-criminals have recently made off with an estimated two million Binance coins (BNB) from a popular cross-chain bridging service, resulting in a potential haul of over $570 million at current exchange rates.
According to a thread on Twitter by @samczsun, a researcher at crypto investment firm Paradigm, the heist at Binance Bridge was orchestrated by exploiting a vulnerability in the bridging service’s validation of “proofs.” This allowed the hacker to request one million BNB from Binance Bridge on two separate occasions.
@samczsun explained that there was a bug in the way Binance Bridge verified proofs, which could have been used by attackers to forge arbitrary messages. Fortunately, the hacker only forged two messages in this instance, but the consequences could have been much more severe.
The hack specifically targeted BSC Token Hub, the bridge connecting BNB Beacon Chain (BEP2) and BNB Chain (BEP20 or BSC), as confirmed by Binance CEO, Changpeng Zhao. In response to the breach, Binance temporarily suspended BSC to contain the issue and assured users that their funds were secure.
Despite the significant value of the stolen funds, it appears that the threat actor was only able to move a fraction of the total amount off the BNB Smart Chain, thanks to the collaborative efforts of the crypto community. Estimates suggest that between $100 million and $110 million worth of funds were taken off BSC, with approximately $7 million already frozen through the combined efforts of the community and security partners.
Binance expressed gratitude for the swift and decisive actions taken by various crypto stakeholders to prevent further unauthorized transactions and lock down the stolen funds. The company acknowledged the speed and cooperation of the community in resolving the incident.
Overall, the incident serves as a reminder of the ongoing challenges and risks associated with cybersecurity in the cryptocurrency space. It underscores the importance of robust security measures and proactive community involvement in safeguarding digital assets against malicious actors.