Binance, the world’s largest cryptocurrency exchange, confirmed Thursday that hackers made off with at least $100 million, but that the number could have been much higher.
The Binance blockchain, also known as BNB Chain and Binance Smart Chain, has taken the rare step of suspending transactions and fund transfers after discovering a vulnerability affecting the BSC Token Hub cross-chain bridge. These bridges are designed to facilitate the transfer of assets from one independent blockchain to another.
The vulnerability in the BSC Token Hub bridge allowed an attacker to forge messages, allowing them to mint new BNB tokens. Since the stolen tokens were not pre-existing tokens taken from wallets, no user funds were affected.
In a blog post on Friday, the BNB chain team said a total of 2 million BNB — worth about $568 million — was initially withdrawn by the hacker. But blockchain security company SlowMist says the attacker was only able to get about $110 million because the majority of the stolen tokens, worth about $430 million, could not be transferred after the BNB chain was suspended.
Binance CEO Changpeng Zhao he said in a tweet that the company estimates the impact of the breach to be between $100 million and $110 million.
“The issue is narrowing down now. Your money is safe. We apologize for the inconvenience and will provide further updates accordingly,” Zhao said.
When reached for comment, Binance spokesperson Ismael Garcia declined to comment beyond the blog posted by the BNB Chain team, which says the BNB chain is now back up and running. The blog post adds that a new on-chain governance mechanism will be introduced to the BNB chain to combat and defend against future potential attacks.
“The bug itself is in the way Binance Bridge processes the proof of transactions that send the money from one chain to another,” Adrian Hetman, technical lead of the Triaging Team at Immunefi, a bounty program provider, told TechCrunch web bug3. “The logic checks the proof of the message, something a user submits, and proceeds with the payment if the proof is valid.”
“The hacker managed to forge such a message that tricked the contract logic into believing that the message was indeed valid, even though the hacker had no valid claim to the funds. BSC Token Hub then proceeded with the payment as everything was valid,” said Hetman.
Multi-chain bridge hacks have become common over the past year. In June, a hacker exploited a vulnerability to steal $100 million from Harmony’s Horizon bridge, and in August, attackers drained $190 million worth of cryptocurrency from the Nomad cross-chain bridge. So far this year, about $2 billion in cryptocurrency has been stolen in cross-chain bridge hacks, according to blockchain data firm Chainalysis.
Earlier this year, hackers stole $625 million after attacking Axie Infinity’s Ronin Bridge in March.