Ankr infrastructure protocol under attack! The circulating supply of aBNBc surpasses trillions, stablecoin HAY affected and unpegged

share
Ankr infrastructure protocol under attack! The circulating supply of aBNBc surpasses trillions, stablecoin HAY affected and unpegged

BNB-based infrastructure protocol Ankr was maliciously attacked today, resulting in the token price of aBNBc dropping to zero. This incident also affected the stablecoin protocol Helio on BNB, with its over-collateralized stablecoin HAY briefly plummeting to $0.2 and has not recovered as of now.

Ankr Hacked, aBNBc Tokens Mass-Produced

Cybersecurity firm PeckShield issued a warning this morning that Ankr was hacked, leading to the unlimited minting of countless aBNBc tokens, which were then swapped for USDC, BUSD, and BNB through DEX platforms like PancakeSwap. This incident caused the price of aBNBc to plummet by 99%, and the liquidity in related pools on PancakeSwap almost vanished.

Note: Users who stake BNB on Ankr receive a staking certificate for aBNBc.

After converting aBNBc into other tokens, PeckShield stated that the hackers laundered the funds through the Tornado Cash mixing protocol and then moved the tokens to Ethereum via cross-chain bridges Multichain and CelerNetwork. The hackers currently hold 3,000 ETH and 500,000 USDC.

Regarding the cause of the incident, Binance CEO CZ mentioned that the preliminary analysis suggests that Ankr's deployer private key was compromised, allowing the hackers to upgrade the smart contract to a malicious one. PeckShield analyzed the contract code of aBNBc and found a bug that enabled unlimited minting, allowing attackers to mint tokens at will.

This bug has been exploited by numerous malicious actors. According to BscScan data, the price of aBNBc has dropped to zero, and the circulating supply has reached an astronomical figure.

Ankr's Official Response

Following the attack on aBNBc tokens, Ankr's team continues to respond to the situation. They are in contact with exchanges to halt trading, reassuring users that assets staked on Ankr are safe, and the infrastructure remains unaffected.

Ankr urges users not to conduct any further transactions and advises liquidity providers to withdraw tokens from the pools while keeping aBNBc. The team has taken a snapshot and plans to reissue aBNBc in the future.

Profiting from the Disaster: User Makes $15 Million with 10 BNB

During the aBNBc vulnerability exploitation, media outlet Wu Blockchain discovered a user who made $15 million by exploiting price oracle issues. Here is the operation process:

  1. Due to the plummeting price of aBNBc, the user exchanged 10 BNB for approximately 184,000 aBNBc on 1inch.
  2. The user deposited the aBNBc into the stablecoin protocol Helio on the BNB chain, receiving hBNB deposit certificates.
  3. After depositing hBNB into Helio, the user borrowed around 16.44 million HAY.
  4. The user exchanged all HAY for BUSD on 1inch, resulting in a profit of approximately $15.5 million.

Note: HAY is a stablecoin with over-collateralization mechanism similar to DAI on Ethereum.

Due to massive selling of HAY on 1inch, the price briefly dropped to $0.2, and it is currently unstable, with a price of $0.67 at the time of writing.

After the incident, Helio's team responded, assuring users that their assets are safe but temporarily halting all Helio functions. The Helio team is currently discussing a restart plan for aBNBc with Ankr and promises compensation to affected users.

Ankr Compensation Plan Updated on 12/2 Evening

After assessment, the Ankr team estimated losses of up to $5 million, stemming from BNB in the liquidity pool. To compensate affected liquidity providers due to the pool depletion, Ankr will purchase $5 million worth of BNB.

Additionally, Ankr will take a snapshot to reissue ankrBNB to the holders of aBNBc before the attack. The future ankrBNB tokens can be used for redemption, but aBNBc and aBNBb cannot be redeemed.