Cryptocurrency exchange Binance was put into emergency mode this Thursday following a hack. The exchange was immediately on top of the event and issued a blog post today detailing the steps taken to mitigate it. All in all, the hackers got away with $110 million in the exchange's native cryptocurrency, $BNB. However, initial reports supported by blockchain analysis reported a much greater $570 million figure (you may still see some websites carrying that number). But a rapid response from Binance halted all transactions throughout the supposedly decentralized exchange. Currently, $7 million of the stolen funds are frozen and pending recovery.
To confirm, we have suspended BSC after having determined a potential exploit. All systems are now contained, and we are immediately investigating the potential vulnerability. We know the Community will assist and help freeze any transfers. All funds are safe.October 6, 2022
The exploit targeted the cross-chain bridge between the BNB Beacon Chain (BEP2) and the BNB Smart Chain (BSC). Bridges are software applications that allow for two different blockchains to interact, locking certain assets from one chain and "minting" (creating) equivalent assets on the destination chain. Bridges have been the target of most high-level hacks in the cryptocurrency space due to the complexity of bridging disparate protocols at a single failure point. The FBI has even made a PSA on the matter.
According to the blog post, the attack occurred via a sophisticated forging of a low-level proof into a common library, enabling the hacker to mint 2 million units of $BNB without deploying any cryptocurrency to back up the exchange. After securing the 2M units, the hacker then diverted slices of the funds to other, decentralized bridging protocols with the intent of "laundering" the 2M units into different cryptocurrencies. The attacker successfully converted the equivalent of $57 million to the Fantom blockchain protocol and its native token, another $53 million to Ethereum, and $400K to Polygon.
The Binance blog post asked Binance's stakeholders - essentially, anyone holding $BNB - to participate in a series of polls to allow for a community-based decision on the next steps. These governance votes, which will happen on-chain, will decide whether the hacked funds should remain frozen (it's unclear what repercussions this could have on users) or not. Additionally, Binance will be holding a vote on creating a bug bounty reward system - something that most blockchains already feature and which has led to numerous "white hat" exploitations that saw funds being siphoned and returned in exchange for sometimes million-dollar bounties.
One of the promises of blockchain technology, and cryptocurrencies, in particular, is decentralization. This is achieved by having as many users as possible carrying a copy of the blockchain proper, which ensures that there's always a way to find a true version of the transaction history. In most blockchains, however, validators aren't done by the average cryptocurrency user but by trusted nodes. These nodes have been given the power to participate in transaction recording and in securing the blockchain from a 51% attack (where anyone controlling half of the validators can create his own artificial transactions and enforce them on the blockchain with finality).
But decentralization means that no single player can alter or even halt the writing on the public ledgers that constitute any and all blockchains. The Binance Chain, on the other hand, was forced to show its centralized hand in that it managed to contact all 26 validators (44 in total across different time zones), alerting them to the theft and stopping new transaction blocks from being created. This may have stemmed the bleeding and prevented the stolen funds from actually leaving the chain. Still, it has undoubtedly caused stress to users, who were unable to do anything with their funds until the chain was restarted, which happened earlier today.
It also raises the question of future halts in the BNB chain and what that could mean for users' funds in the event of a more severe misstep.
While there are risks regarding centralization, the case can also be made for the impact of Binance electing not to halt its chain. With two million additional units of the BNB coin appearing out of thin air, the price of each $BNB itself would necessarily drop to account for the increased number of assets. If this drop were severe enough, and with the chain operating normally, users might panic into selling their own BNB tokens before the price descended further. This, in turn, could generate a fire sale, with prices plummeting even as buyers failed to absorb the mountains of BNB being put back into the market after the sought-after liquidity. Once this cycle starts, it's exceedingly difficult to stop it. Several stock-traded companies and blockchains have seen these events unfold, mostly with catastrophic effects.
Following news of the exploit, and perhaps somewhat upheld by the impossibility of actually selling assets, the BNB token only saw a 3.35% decrease in value. We'll have to wait and see what Binance's community decides on this - but at least for now, a crisis seems to have been averted.