Ankr infrastructure protocol under attack! The circulating supply of aBNBc surpasses trillions, stablecoin HAY affected and unpegged
BNB-based infrastructure protocol Ankr was maliciously attacked today, resulting in the token price of aBNBc dropping to zero. This incident also affected the stablecoin protocol Helio on BNB, with its over-collateralized stablecoin HAY briefly plummeting to $0.2 and has not recovered as of now.
Table of Contents
Ankr Hacked, aBNBc Tokens Mass-Produced
Cybersecurity firm PeckShield issued a warning this morning that Ankr was hacked, leading to the unlimited minting of countless aBNBc tokens, which were then swapped for USDC, BUSD, and BNB through DEX platforms like PancakeSwap. This incident caused the price of aBNBc to plummet by 99%, and the liquidity in related pools on PancakeSwap almost vanished.
Note: Users who stake BNB on Ankr receive a staking certificate for aBNBc.
After converting aBNBc into other tokens, PeckShield stated that the hackers laundered the funds through the Tornado Cash mixing protocol and then moved the tokens to Ethereum via cross-chain bridges Multichain and CelerNetwork. The hackers currently hold 3,000 ETH and 500,000 USDC.
#PeckShieldAlert Ankr Exploiter has transferred 900 $BNB (~$253k) into Tornado Cash & bridged $USDC & $ETH to Ethereum, the exploiter currently holds 3k $ETH (~$3.8M) & 500k $USDC
Ankr Exploiter currently holds 19,999,999,972,926 $aBNBc & becomes the 13th largest holder of $aBNBc pic.twitter.com/TioTnuFqbP— PeckShieldAlert (@PeckShieldAlert) December 2, 2022
Regarding the cause of the incident, Binance CEO CZ mentioned that the preliminary analysis suggests that Ankr's deployer private key was compromised, allowing the hackers to upgrade the smart contract to a malicious one. PeckShield analyzed the contract code of aBNBc and found a bug that enabled unlimited minting, allowing attackers to mint tokens at will.
Possible hacks on Ankr and Hay. Initial analysis is developer private key was hacked, and the hacker updated the smart contract to a more malicious one. Binance paused withdrawals a few hrs ago. Also froze about $3m that hackers move to our CEX.
— CZ 🔶 Binance (@cz_binance) December 2, 2022
This bug has been exploited by numerous malicious actors. According to BscScan data, the price of aBNBc has dropped to zero, and the circulating supply has reached an astronomical figure.
Ankr's Official Response
Following the attack on aBNBc tokens, Ankr's team continues to respond to the situation. They are in contact with exchanges to halt trading, reassuring users that assets staked on Ankr are safe, and the infrastructure remains unaffected.
Ankr urges users not to conduct any further transactions and advises liquidity providers to withdraw tokens from the pools while keeping aBNBc. The team has taken a snapshot and plans to reissue aBNBc in the future.
Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.
— Ankr (@ankr) December 2, 2022
Profiting from the Disaster: User Makes $15 Million with 10 BNB
During the aBNBc vulnerability exploitation, media outlet Wu Blockchain discovered a user who made $15 million by exploiting price oracle issues. Here is the operation process:
- Due to the plummeting price of aBNBc, the user exchanged 10 BNB for approximately 184,000 aBNBc on 1inch.
- The user deposited the aBNBc into the stablecoin protocol Helio on the BNB chain, receiving hBNB deposit certificates.
- After depositing hBNB into Helio, the user borrowed around 16.44 million HAY.
- The user exchanged all HAY for BUSD on 1inch, resulting in a profit of approximately $15.5 million.
Note: HAY is a stablecoin with over-collateralization mechanism similar to DAI on Ethereum.
Due to massive selling of HAY on 1inch, the price briefly dropped to $0.2, and it is currently unstable, with a price of $0.67 at the time of writing.
After the incident, Helio's team responded, assuring users that their assets are safe but temporarily halting all Helio functions. The Helio team is currently discussing a restart plan for aBNBc with Ankr and promises compensation to affected users.
1. Users’ asset in Helio are safe and all staked BNB are completely intact – sitting on the validators.
— Helio Protocol ($HAY) 🔶 (@Helio_Money) December 2, 2022
Ankr Compensation Plan Updated on 12/2 Evening
After assessment, the Ankr team estimated losses of up to $5 million, stemming from BNB in the liquidity pool. To compensate affected liquidity providers due to the pool depletion, Ankr will purchase $5 million worth of BNB.
Additionally, Ankr will take a snapshot to reissue ankrBNB to the holders of aBNBc before the attack. The future ankrBNB tokens can be used for redemption, but aBNBc and aBNBb cannot be redeemed.
The team at Ankr has assessed the damage and it is max 5M USD worth of BNB from the liquidity pools.
We are currently working hard to resolve this issue efficiently and we would like to propose the following to address the current situation:
— Ankr (@ankr) December 2, 2022