Binance Bridge Hack
A tale of another cross-chain bridge failure
Crypto Bridge Overview
Bridges connect two parts of landed areas separated from each other by water, valleys or some other barriers. It shortens distance of travel, closes boundaries and makes it possible for people to easily move across barriers. These and more are the benefits of bridges in the course of human existence and civilization over time.
Years after the emergence of Bitcoin, saw a plethora of new blockchains built with different consensus mechanisms (rules of validating and settling transactions) in an attempt to improve upon the 1st gen blockchains and solve the blockchain trilemma problem (speed without sacrificing security and decentralisation). As disparate blockchains emerged and more utilities created such as DeFi, GameFi, NFTs and other web3 dapps, the non-interoperability problem became more obvious. There was a growing need to exchange value and transfer assets easily and securely between different chains at a cheaper cost without necessarily having to hop out of a network for another to do so.
Blockchain bridges was developed as one approach to solve the interoperability problem and connect chains of different protocols, allowing them to communicate and exchange assets/value easily same way land bridges connect people and allow ease of movement across both sides of the divide. Cross-chain bridges is one of such approach to the problem but with it comes lot of security concerns as they've become prime targets of major exploits lately. This year alone has witnessed ~ $2B asset exposure to cross-chain bridge related hacks.
Binance Bridge Exploit
In events which at first appeared to be a massive transfer of funds worth ~ $574mm (2mm BNB in two separate transfers of 1,000,000 BNB each) on October 6th from BSC: Token Hub to the wallet address 0x489A8756C18C0b8B24EC2a2b9FF3D4d447F79BEc in order to take long ETH positions vs stables using BNB as collateral and briefly pump DeFi markets at the time, is now confirmed to be a BNB Bridge hack. The hack exploited a bug in the way Binance Bridge verifies proofs.
The hacker deposited the first stolen ~ 1,000,000 BNB into Venus protocol and borrowed ~ $150mm of BUSD/USDC/USDT stablecoins, opening up an overcollaterized position of ~$255mm (900,004.42 BNB). The stablecoins were bridged to Geist, TraderJoe and other protocols with the attacker using it to borrow 11,514 ETH for possible exit.
https://debank.com/profile/0x489a8756c18c0b8b24ec2a2b9ff3d4d447f79bec
In another move, the BNB Bridge exploiter swaps ~ $12.88mm $USDC for ~ 9, 297 $ETH via Uniswap V3. Besides Fantom and Avalanche, the attackers have tainted coins in Polygon, Arbitrum, Optimism and Ethereum mainnet.
https://etherscan.io/tx/0x925eed1d337a39f1020e03aa79f72357224252a987bdf93915a98b31139107da
The second tranche of withdrawn 1,000,000 BNB saw the hacker swap small portions of 34,300 BNB for ~ $8.9mm Binance peg BSC-USD.
https://bscscan.com/tx/0x98fd7e0e4f1be0949421a796d82498fce1940c3b270c421fd096f7fe78c2aa61
Before an official tweet from BNB Chain confirmed the hack which it termed an 'irregular activity', Tether had earlier blacklisted and froze ~10mm $USDT possibly as a precautionary measure.
Binance in a move which further highlighted how centralised it’s chains are, halted the entire chain to fix the bug that was exploited to contain the situation and possibly (depending on what they decide), perform a hard fork and/or rollback txns to recover (or seize) ~ $426mm worth of BEP-20 assets in the hacker’s wallet sitting on the BSC network. This network patch and upgrades will keep the chains stable and safer to prevent future hack occurrence.
The intent of the perpetrator (s) as at the time of writing is not known. What s/he does next with the $ETH in FTM/Avax bridge, those on the mainnet and assets on non-BSC chains (estimated at ~$100mm) remains to be seen. One takeaway from this exploit reaffirms earlier fears; cross-chain bridges are far from safe. They introduce security vulnerabilities which hackers continue to explore to exploit the juicy and most times, hefty funds within cross-chain bridges.
As Ethan Buchman, the Co-founder of Cosmos network has rightly pointed out,
Bridge hacks are a real problem for our industry and they won't get better without serious commitment to higher security and standards processes. Let IBC be a shining example of what that can look like.