​aBNBc token rate collapses by 99,5% due to hacking of DeFi protocol Ankr

What’s new? On December 2, Ankr, a DeFi protocol, was hacked, resulting in a $5 million loss. According to cybersecurity company PeckShield, the code underlying the Ankr contract allows any user to create an unlimited number of the protocol’s reward tokens without any verification. Through the exploit, the attacker issued 6 quadrillion aBNBc tokens, then exchanged 20 trillion aBNBc to BNB and moved them to the Tornado Cash crypto mixer. He then exchanged the BNB tokens for 5 million USDC stablecoins. As the hacker almost completely drained the aBNBc liquidity pools on the decentralized exchanges (DEXs) PancakeSwap and ApeSwap, the token lost 99,5% of its value. As of 07:40 UTC, the asset is trading at $1,52, according to CoinGecko.

#PeckShieldAlert Seems like @ankr has been exploited, $aBNBc has dropped -50%, tons of $aBNBc have minted to https://t.co/nyfwdd6fWIand the exploiter transferred some of the stolen funds to Tornado cash or bridged them via celer and deBridgeGate to Ethereum @peckshield pic.twitter.com/vK94dIEWIt — PeckShieldAlert (@PeckShieldAlert) December 2, 2022

Statement of the project’s representatives. The Ankr team urged users not to trade, remove liquidity from DEXs and keep the aBNBc (liquidity providers). According to the statement, the snapshot will be made soon. In addition, representatives of the protocol announced a reissuance of aBNBc.

Further instructions from the Ankr team: 1. Do not trade2. Remove liquidity from DEXes if you are a liquidity provider (and keep the aBNBc)3. Snapshot will be done and wait for additional news4. Will do a reissuance of aBNBc — Ankr (@ankr) December 2, 2022

The Ankr team later contacted DEXs to block token trading on the platforms. The reissuance of aBNBc will take place after the situation is assessed.

Additional details: We have been in touch with the DEXes and told them to block trading. We will reissue tokens in the future after we assess the situation. — Ankr (@ankr) December 2, 2022

Analytics company Lookonchain reported that one trader was able to take advantage of the exploit and turn 10 BNB into 15,5 million BUSD stablecoins. He did this by taking advantage of Helio, a DeFi lending protocol, which did not have up-to-date prices for aBNBc after the crash.

1/ A SmartMoney made 15.5M $BUSD with 10 $BNB!After Ankr Exploiter dumped aBNBc, he bought 183,885 aBNBc with just 10 $BNB($2,879).Then deposited 183,885 aBNBc into @Helio_Money as collateral and borrowed 16M $HAY.In the end, sold 16M $HAY and get 15.5M $BUSD. pic.twitter.com/Z72t1JG78t — Lookonchain (@lookonchain) December 2, 2022

The trader was also able to use the prices on aBNBc before the collapse to borrow $16 million from the low-traded HAY stablecoin and convert it to BUSD. HAY has since lost its peg to the dollar and is trading at $0,5782.

Crypto exchange Binance said it would help investigate the Ankr exploit. The company noted that this attack is not aimed at Binance and that its customers’ funds are safe.

We are aware of the attack targeting @ankr's aBNBc token. Our team is engaged with the relevant parties and @BNBCHAIN to investigate further.This is not an attack against #Binance, and your funds are SAFU on our exchange. This thread will be updated should there be any updates. — Binance (@binance) December 2, 2022

According to Binance CEO Changpeng Zhao, initial analysis of the attack on Ankr and HAY showed that the developer’s private key was hacked. This allowed the hacker to replace the smart contract with a malicious one. Zhao also noted that Binance froze a transfer of about $3 million purportedly from the attacker.

We are aware of the attack targeting @ankr's aBNBc token. Our team is engaged with the relevant parties and @BNBCHAIN to investigate further.This is not an attack against #Binance, and your funds are SAFU on our exchange. This thread will be updated should there be any updates. — Binance (@binance) December 2, 2022

According to analysts at Chainalysis, cryptocurrencies have lost more than $3 billion in hacks in 2022. On October 12 alone, four exploits of DeFi projects were recorded.

For the causes of the vulnerability of decentralized protocols, see GetBlock Magazine’s article.