The BNB chain was temporarily halted after an exploit on its cross-chain bridge. The current impact estimate is around $100 million and the equivalent of $110 million in cryptocurrency.
According to the latest update, the BNB chain is back to business as usual, but let’s take a look at how the hack went down, according to a popular researcher.
The exploitation
Sam Sun, Paradigm Researcher he stated that the attacker somehow convinced Binance Bridge to send 1 million BNB to an address they controlled. They repeated the step twice. After comparing the attacker’s transactions with the legitimate withdrawals, Sun noticed that the height used by the attacker was always the same: 110217401. However, the heights used by the legitimate withdrawals were much larger, such as 270822321, the researcher noted.
He also noted that the attacker’s proof was noticeably shorter than the legitimate withdrawal proof, meaning they had found a way to “forge a proof” for this specific block: 110217401.
Binance has a special precompile contract that is used to verify IAVL trees. When a user checks out an IAVL tree, they must specify a list of “operations”. Binance Bridge typically expects two: an “iavl:v” operation and a “multitorell” operation, Sun specified. The attacker managed to exploit the bug in the Binance Bridge that verified evidence that allowed attackers to forge arbitrary messages.
Although the attacker only spoofed two messages, the researcher claimed that the damage could have been much worse.
Same dilemma
Binance CEO Changpeng Zhao confirmed the exploit after validators were asked to temporarily suspend BSC and revealed that the problem had been contained.
“Initial estimates of funds taken from BSC are between $100 million and $110 million. However, thanks to the community and our internal and external security partners, approximately $7 million has already been frozen. We are honored by the speed and community collaboration to freeze funds.”
The latest exploit of the BNB chain and the subsequent steps taken by Binance may have controlled the damage, but the community is once again facing the same dilemma regarding decentralization. Bartek Kiepuszewski, MakerDAO’s blockchain architect, expressed a sentiment similar to his own tweet regarding the same,
“Do we want a simple bridge but with trusted validators that can censor, freeze or confiscate funds or do we want a trustless but significantly more complicated infrastructure?”
Binance Free $100 (Exclusive): Use this link to sign up and get $100 free and 10% off fees on Binance Futures in your first month (terms).
PrimeXBT Special Offer – Use this link to sign up and enter code POTATO50 to receive up to $7,000 in your deposits.
