This month of October, still not finished, is already called by many insiders of the crypto world Hacktober. The appointment comes due to the many cyber attacks (hacks) on decentralized platforms, in one year, 2022, which is the worst ever in terms of the volume of money stolen by hackers.
The biggest hack of October, and one of the biggest in the history of decentralized finance, occurred on the Binance blockchain, BNB Chain. The relevance of the hack isn’t actually relative to the amount, which is still important (ben 586 million dollars), but the type of hack that was carried out and the response of the crypto community to the hack, which openly criticized some phases of the recovery of funds and the dubious decentralization of the BNB Chain blockchain.
All the developments of the story, some very technical and others typical of the crypto community, can be retraced in a journey in stages by investigating transactions on the blockchain, freely available to everyone.
Phase 0: Hack Trials
Thanks to the transparency of the blockchain, we are able to understand what the hacker has done prima of the hack. The hacker (or hackers, we don’t know this) created the address with which he then performed the operation October 5, 2022 shortly after 10pm, feeding it first with 0.44 BNB, then with just over 101 BNB. BNB is the native token, also used to pay commissions, of BNB Chain. The funds were transferred from the same address active since July 2021 which at the peak held over $ 270,000 in tokens. With the BNB, the hacker then interacted with Venus e Stargatethe former a protocol of lending (to deposit tokens and receive interest on the deposit), while the second a DEX (protocol for exchanging tokens).
The first interaction is actually a very common procedure in the DeFi world (decentralized finance): it allows the user to pre-approve the spending limits for the tokens that they will then want to use in the future. This way, doing any operation requires less approval: the hacker quickly pre-approved BUSD, BSC-USD, USDC, WBNB, some on Stargate, some on Venus, some on both protocols. With these operations, the preparation is complete.
Fase 1: l’hack
At 6:26 UTC (8:26 Italian time) the hacker launches the attack: ‘convinces’ the BSC Token Hub to create 1 million BNB from scratch, equivalent to approx 586 million dollars at the time of the operation. According to an analysis by @samczsunresearcher of Paradigma company specializing in blockchain forensics, the hack was possible thanks to a exploit of a portion of the algorithm present in the BSC Token Hub contract.
To give sufficient context, the BSC Token Hub is the bridge (software) that allows users to transfer tokens between the two pieces of the Binance blockchain system, namely the BNB Beacon Chain (to manage governance) e BNB Smart Chain (which is compatible with smart contracts). Users can interact with the BSC Token Hub directly from a section of the Binance website.
The exploit exploited a flaw in the way a special smart contract verified proof of funds, which allowed the hacker to create a fictitious transaction that passed automatic checks for the creation of new coins. Not even @samczsun was able to reproduce the code exactly, proving that the hack was of the highest standard, done by someone who has deep knowledge of advanced cryptographic algorithms.
Phase 2: the alarm and the stop of BNB Chain
At 00:19 Italian of 7 October BNB Chain’s official Twitter account reports that BNB Smart Chain has been temporarily paused to investigate suspicious activity. The interesting aspect of this story is that many analysts noticed this hack only because the hacker then deposited a good part of these BNBs on Venus as collateral, to borrow other tokens to then move both in and out of BNB. Chain. The operation had been very silent until that moment, because the creation of new coins had not occurred in a directly recognizable way, but then the deposit of more than 200 million dollars in a few transactions on Venus it has set off the alarm of many monitoring systems for high-volume transactions. To make it understandable with a metaphor, the thief first broke the safe with a precision instrument and without making any noise, and as soon as he took the loot he then ran wildly, screaming and saying ‘I’m here !, come and get me!’ .
Phase 3: crypto community criticism
Hacks on decentralized finance protocols are not uncommon, especially in recent months. But the Crypto Twitter (aka the crypto community on Twitter) reacted very badly to this hack: not the attack itself, but the response to the attack.
The community has in fact commented with suspicion on the sudden stop of the BNB Chain. How is it possible that a decentralized network, where operators should only trust the underlying technology, can be stopped in minutes?
BNB Smart Chain and BNB Beacon Chain are two blockchains developed by Binance and maintained by a set of validators, which is a set of nodes (computers or computer networks) that verify transactions and secure the network itself. In general, a network is validated by a few hundred or a thousand nodes (Ethereum 2.0 now has more than 300,000, for example), while BNB Smart Chain and BNB Beacon Chain they only have 44, of which 26 are actually active. Many suspect that even many of these are directly under the control of Binance (or Changpeng Zhao, its founder), and that therefore the two BNB Chains are actually a transaction database managed by Binance. These hypotheses have been in the air for some time, but the fact that during this occasion the two blockchains were stopped in such a short time has done nothing but corroborate this hypothesis, making it even more plausible.
Phase 4: second answer, the token lock
After exactly one hour, at 1:20 the same account announces that ‘it is estimated that 70-80 million dollars have been removed [da BNB Smart Chain]’, but that thanks to the prompt intervention of internal and external security partners, approximately 7 million dollars have already been blocked.
Some tokens on the blockchain, in fact, like USDC o USDTare controlled and managed by companies that can manipulate them, for example to block their use or to burn tokens when there are activities outside the blockchain that require it.
Step 5: Restarting the chain’s BNB
At around 8:30 am, the BNB Chain validators agree to restart the two networks, and just before 9:00 am the Twitter account announces that the overall infrastructure is running smoothly. BNB Chain was therefore offline for approx 7 ore.
Phase 6: announcement of the vote on the stolen funds
During the same day, through a blog post on the official website of BNB Chain, it is announced that a vote will be set up to decide the future of the stolen funds. The four questions that voters will have to answer are:
- What to do with the stolen funds: block them or not block them?
- Use the automatic BNB destruction mechanism to compensate for stolen funds, or not?
- Establish a bug tracking program, with rewards of up to $ 1M for each significant bug found
- Establish a bounty to help catch hackers, for a reward of up to 10% of the saved funds.
As an addendum, it was added that they will be done ‘efforts to increase the number of overall validators on BNB Chain’ – probably for the criticisms referred to in step 3.
Fase 7: l’hard fork
A few days after the latest news about the hack, on October 12 BNB Chain announces a forced update (hard fork) to networks, that validators will have to install on their computers / servers to keep the blockchains online. The update started at 10:00 in the morning and no problems were found. The update fixed the bugs that allowed the hacker to create 2 million BNBs out of thin air.
The future
The history of the BNB Chain hack is much more complex than it seems: although operations of this type are happening more and more – especially because there is much more media attention – users and professionals are aware that there is a lot to improve and that it will be a very long path that will lead to the total security of the funds used in decentralized finance protocols.
But what is unacceptable to the crypto community is the false sense of decentralization. In other cases, when a hack occurs or there is a security problem, it takes weeks, if not months, to orchestrate a response and action plan. It seems paradoxical, but slowness is a symptom of true decentralization of powers. In 2016, for example, the Ethereum network was overwhelmed by the hack at TheDAO, a user fund management protocol like a financial fund. In that case it was so difficult to find an agreement on the future of Ethereum that the blockchain was split in two: on one side there was Ethereum, on the other Ethereum Classic, each incorporating a different choice. If there is no discussion and, indeed, everything is resolved in a few hours, the promise of decentralization, and therefore of the freedom of one’s own funds, fails. An issue that will be talked about for a long time to come.