Ankr, a supplier of decentralized Web3 infrastructure, issued an early reaction on Friday in an effort to reassure the community following the loss of at minimum $5.5 million through BNB Chain liquidity pools & money markets.
The team was able to verify that Ankr's other products, including validators, RPC nodes, and AppChain services, were not impacted in any way. Holders of Ankr's other major staking derivatives, most notably aETHc (also known as Ankr staked ether), which boasts a market cap of approximately $68 million, will find this to be a source of relief.
Update on our aBNB Token Exploit:
— Ankr (@ankr) December 2, 2022
We are grateful to our community of DEXs, exchanges, and protocols that all helped us end the exploit quickly.
We will use reserves to compensate liquidity providers for the aBNBc pools.https://t.co/B2yNWBAQdX
The Modus Operanti of the Hack
Over the course of six separate transactions, the attacker created a total of sixty trillion aBNBc. The thief proceeded to drain liquidity through decentralized exchanges on the BNB Chain using the newly created tokens, despite the fact that they were unbacked.
After this, the hacker broke into the lending and borrowing system Helio by extracting $16 million in HAY, the protocol's proprietary stablecoin, and exchanging it for $15.5 million BUSD, which is the Binance stablecoin produced by Paxos. This allowed the attacker to raid Helio successfully.
According to DeFiLlama, Helio's Total Value Locked amounted to $90 million before the hack was discovered.
1/ The team at Helio Protocol is aware of the situation and we are closely working with @Ankr to manage the situation and to support our community during this difficult time.
— Helio Protocol ($HAY) 🔶 (@Helio_Money) December 2, 2022
Chandler Song, Co-Founder and CEO of Web3, said in a release that "Hacks and exploits from bad actors like these are an undesirable possibility in Web3, even with every attention to detail in security processes — but we were well prepared."
Next Plan of Action?
A recommended "action plan" described how users of aBNBc can be paid through a new ankrBNB token, which will be minted & airdropped on a pre-exploit snapshot of on-chain data. This token will be dependent on a pre-exploit snapshot of on-chain data.
It is not known how exactly the private key for the aBNBc smart contract deployer was stolen; nonetheless, the attack appears to have been caused by the malicious usage of the private key for the deployer. To protect against this kind of attack, the best practices in the industry recommend using multisignature wallets & timelocks on upgradeable smart contracts.
Other suppliers of liquid-staked BNB, such as pSTAKE, use multi-sig to protect important contracts and limit access to token minting processes. In contrast, completely decentralized dapps, such as Uniswap on Ethereum, are not upgradeable in any way. pSTAKE is one example.
Although the full amount of the collateral damage is not yet known, Ankr has stated its intention to compensate customers of connected DeFi dapps for any damages they may have sustained as a result of the incident.
According to the official Twitter account of Helio Protocol, Ankr will pay the bad debt incurred by Helio Protocol, pending the conclusion of continuing conversations. As an example, Ankr will pay the bad debt incurred by Helio Protocol.
3/ Helio Protocol and @Ankr have also discussed a bilateral agreement where @Ankr will be covering Helio Protocol's bad debt as a result of this exploit.
— Helio Protocol ($HAY) 🔶 (@Helio_Money) December 2, 2022
More details to be announced.
