$570M Binance Hack: What Happened & Who Is Responsible?

Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.

Author: Dušan Trojanović / Last Updated: 10/23/2022

Reviewed By: Dalibor Gašić, & Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

Summary Of The Attack

• In response to a cyberattack on October 4, 2022, which resulted in the theft of about two million BNB (Binance Coin) tokens, exchangeable for over $570 million in fiat currency.
• The BSC Token Hub cross-chain bridge, which connects the BNB Beacon Chain/BEP2 and BNBChain/BEP20 chains, was exploited by the hacker.
• As quickly as possible, the hacker started distributing some of the funds around other liquidity pools in an effort to convert the BNB into other assets.
• Binance plans to hold on-chain governance votes to decide whether to offer a 10% bounty for finding the hacker and returning the funds and to set up a bug bounty program to award $1 million to those who report serious bugs.

What Happened?

In response to a cyber attack on October 4, 2022, which resulted in the theft of about two million BNB (Binance Coin) tokens, exchangeable for over $570 million, at the moment of article writing.

In order to conduct an investigation, Binance paused the BNB Smart Chain on October 6th, 2022, after acknowledging a security incident.

Later that day, the CEO of Binance disclosed that an exploit was used in the BSC Token Hub to send BNB to the attacker, after which Binance had asked all validators to suspend the Binance Smart Chain, as well as that the issue is contained at the moment and that customers funds are safe.

What Was The Impact?

Initial estimates put the amount of money removed from the Binance Smart Chain at $100M and $110M.

However, an estimated $7M was quickly frozen owing to the community, internal teams at Binance, and outside security partners.

The breach allowed hackers to get away with approximately $570 million in digital assets, including:

• Ethereum
• Polygon
• BNB Chain
• Avalanche
• Fantom
• Arbitrum
• Optimism

In the wake of the breach, BNB’s price fell by about 3.7%.

How The Attack Happened

BSC (Binance Smart Chain) was started out as a fork of Ethereum, which represents a protocol and decentralized blockchain.

In the world of cryptocurrencies, bridges function in a sense by locking funds on one side of the bridge and then receiving an equal amount of other funds on the other side of the bridge.

Bridges are beneficial for connecting blockchains, but because they frequently require a central storage location to lock deposited assets, they are generally seen as being less secure than base-layer networks like Bitcoin and Ethereum.

The BSC Token Hub cross-chain bridge, which connects the BNB Beacon Chain/BEP2 and BNBChain/BEP20 chains, was exploited by the hacker.

Data in smart contract blockchains are stored in trees. The Cosmos ecosystem’s AVL tree implementation is used by the Binance Bridge.

The data representation is known as the Merkle tree. Hash functions are used to validate these trees.

Hashes are proven up the tree from the leaf nodes to the root.

Who owns what can be altered if someone is able to manipulate the data in leaf nodes while still producing hashes that are validated as accurate by higher-up nodes.

This suggests that someone might have been able to forge those proofs.

Who Is Responsible?

The attacker, now known as the “BNB bridge exploiter,” appears to have registered as a relayer for the BSC Token Hub bridge as the initial step in the attack so they could set up for the exploit.

The BSC Token Hub bridge was able to accept forged proof messages created by the attacker.

The bridge’s failure to completely verify the Merkle tree to the root hash likely caused the problem, allowing the attacker to create forged proofs from an earlier, legitimate one and mint BNB directly to their wallet.

The attacker was able to forge proof messages which were accepted by the BSC Token Hub bridge.

The bug likely was a result of the bridge not fully verifying the Merkle tree to the root hash, which allowed the attacker to generate forged proofs from a previous, legitimate one and then mint BNB directly to their wallet.

The attack proved to be unique because the attacker did not steal existing funds, but rather minted new ones.

As quickly as possible, the hacker started distributing some of the funds around other liquidity pools in an effort to convert the BNB into other assets.

Not Binance’s First Hack

This is not Binance’s first significant hack.

The hacker stole over 7,000 bitcoins from the exchange in 2019, costing Binance almost $40 million.

Although the funds were never found, the business compensated customers for their losses.

The theft is the most recent in a string of attacks against blockchain bridges, which enable cross-blockchain transactions via so-called smart contracts.

The theft of Nomad for $191 million happened in August. Prior to that, there was the:

• Poly Network Bridge ($610 million that was reimbursed)
• Wormhole Bridge ($320 million)
• Meter.io Bridge ($4.4 million)
• Ronin Bridge ($600 million)
• Qubit Bridge ($80 million)
• Wormhole Bridge ($320 million)

What Is Binance’s Response?

Binance plans to hold on-chain governance votes to decide whether to:

• Offer a 10% bounty for finding the hacker and returning the funds.
• Set up a bug bounty program to award $1 million to those who report serious bugs.
• Freeze the hacked funds.
• Use BNB auto-burn to restore the remaining hacked funds.

Cross-chain bridges have emerged as the most frequent target of ultra-high value hacks in recent years, in part because they constantly hold enormous amounts of cryptocurrency tokens.

Related Articles:

• TikTok Denies Cyber Attack: Did It Really Happen?
• Sensitive NATO Data Leaked After Cyber Attack On Portugal’s Armed Forces
• Uber’s Internal Systems Compromised By An 18 Year Old
• Cisco Suffers Cyber Attack By UNC2447, Lapsus$, & Yanluowang
• How The Largest European DDoS Attack Was Blocked