Disclaimer: This article is intended to convey more market information and does not constitute any investment advice. The article only represents the author's views and does not represent the official position of MarsBit.
Editor: Remember to follow
Source: Wu Shuo Blockchain
Original title: BNBChain was attacked for more than 500 million US dollars: Timeline sorting and reason analysis
According to the initial timeline sorting by Supremacy:
Beijing time October 7, 2022 00:55 points hacker paid 100 BNB to register as a Relayer at the block height 21955968 by calling contract 0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
02:26 The hacker launched an attack at the block height 21957793 by calling contract 0x00000000000000000000000000000000000000000000000000002000 (BSC: Cross Chain), and the attack made a profit of 1 million BNB.
04:43 The hacker launched another attack at the block height 21960470 by calling contract 0x00000000000000000000000000000000000000000000000000002000 (BSC: Cross Chain) and the attack made another profit of 1 million BNB.
hackers obtained 2 million BNBs from the BNB Chain Token Hub system contract in two times, and mortgaged 900,000 of them on the BNB Chain loan agreement Venus, lending 62.5 million BUSD, 50 million USDT, and 35 million USDC.
Supremacy said that as of the time being, we believed that there were problems with BSC's Merkel tree verification and the analysis is still in progress.
According to Paidun, BNB Chain attackers have transferred about $89.5 million of stolen funds into other chains (non-BNB Chain), about 58% of funds into Ethereum, about 33% of funds into Fantom, and about 4.5% of funds into Arbitrum.
Tether quickly blacklisted USDT on Ethereum (and subsequently blacklisted USDT on AVAX). BNBChain announced that it will suspend the chain. “We ask BSC validators to contact us within the next few hours so that we can plan node upgrades.”
CZ said the BSC Token Hub is the bridge between the BNB beacon chain (BEP2) and the BNB chain (BEP20 or BSC). The amount affected is currently estimated to be approximately $100 million. Analysts pointed out that although BNBChain's timely suspension caused the outflow amount to be small, it will also face an embarrassing situation in the future. If the hacker does not take the initiative to deal with it, then the question of how to deal with the amount staying in BNBChain will inevitably lead to centralization/decentralization controversy.
Slow Fog Founder Cosine Comment: Judging from theft method + coin washing method, this wave of hackers is quick and accurate. Maybe I didn’t expect that Binance is also quick and accurate (pauses BSC, joins forces such as Tether to freeze related funds) . "This wave of hackers is not simple... See if the hacker's identity can be tracked down this time." But the Chinese community also criticized this because BNBChain did not choose to deal with the coin theft cases that have occurred in a similar centralized manner.
According to Slow Fog, the source of the initial funding of the hacker was ChangeNOW. The hacker address has interacted with multiple DApps, including Multichain, Venus Protocol, Alpaca Finance, Stargate, Curve, Uniswap, Trader Joe, PancakeSwap, SushiSwap, etc.
(currently the amount of hackers' profits is distributed, from slow fog)
analyst @samczsun posted a post explaining how hackers use Binance Bridge to steal BNB. The attacker stole 1 million BNBs respectively after two times, but the height used was 110217401, which was far lower than the normal height. In addition, the proof submitted by the attacker is shorter than the legal proof, which shows that the attacker forged the proof of that particular block. The specific method is to add a new leaf node when the COMPUTEHASH function generates a hash, and then create a blank internal node to satisfy the prover, and exit early after finding the hash that matches the internal node. So far, there are only two pseudo-verifications generated in this way.
"Anyway, there is a bug in the way Binance Bridge validates proof, which may allow the attacker to forge arbitrary messages. Fortunately, the attacker here forged only two messages, but the damage could have been much more serious."
Editor in charge: Kate
