Ankr has revealed that a former employee was responsible for the $5 million ‘supply chain attack’ on the platform in December. The attacker exploited a smart contract vulnerability on the protocol to mint an unlimited amount of aBNBc tokens. The company is working with law enforcement to find the culprit.
BNB Chain-based decentralised finance (DeFI) platform Ankr has come out saying that an ex-employee was behind the multi-million dollar exploit that occurred on its protocol on December 1. According to an announcement made by the company, the former employee inserted a malicious code package into Ankr’s smart contract to create a security vulnerability that allowed them to mint an unlimited number of aBNBc (Ankr Reward Bearing Staked BNB) tokens in a “supply chain attack”.
A day after the attack, Ankr developers gave a brief explanation as to how the exploit took place. The culprit, who is no longer employed by the company, first gained access to the team’s ‘deployer key’ which is used to deploy the DeFi protocol’s upgradeable smart contracts. This allowed the former employee to deploy an entirely new contract containing the malicious code into one of the upgrades, giving them the ability to issue an unlimited number of aBNBc tokens out of thin air “without authorization checks”.
After minting 60 trillion tokens, the attacker swapped 20 trillion aBNBc for BNB on Ankr and then moved the assets on Ethereum to crypto mixer Tornado Cash. Here the ex-employee converted the BNB for $5 million USDC. Due to the attacker draining all aBNBc liquidity pools on PancakeSwap and ApeSwap, the token lost almost 99% of its value, which according to data from CoinGecko is currently trading at $0.01.
On-chain security research firm PeckShield reported that the malicious smart contract used by the hacker would allow any user to mint an unlimited amount of the staking reward token without needing any kind of verification. In response to the attack, Ankr first transferred ownership of the smart contracts to its validators that were not compromised : RPC, API and App Chain. This move secured the contracts and prevented them from being exploited any further.
Ankr then alerted DEXs (decentralised exchange) including Helios and Midas to halt all trading of aBNBc or aBNBb tokens, and identified all token holders including those supplying liquidity to exchanges. In a blog post, the protocol announced that the current versions of both tokens will no longer be redeemable for BNB, and instead a new token coined ankrBNB will be issued. Ankr took a snapshot of aBNBc and aBNBb holders’ account balances at the time and date of December 2, 2022, 12:43:18 am UTC, in order to compensate them with new coins based on their balances before the attack took place. In addition, developers also asked aBNBc and aBNBb token holders to remove their assets from liquidity pools and hold them in their wallets instead.
To reimburse victims, Ankr promised to allocate $5 million from its own treasury to ensure that the new tokens are fully backed by reserves. The DeFi platform also stated that it would spend $15 million to buy back bad debt suffered by the stablecoin protocol Helio, who was affected by the exploit. Helio’s US dollar-pegged stablecoin HAY lost its dollar parity and fell to as low as $0.20 soon after the attack. However, the stablecoin has regained much of its lost value and is currently trading at $0.99.
“We are in the process of working with law enforcement to prosecute the former team member and bring them to justice. Unfortunately, internal bad actors can affect any protocol and we are working on shoring up internal HR (Human Resources) processes and safety measures to strengthen our security posture going forward,” said Ankr in a blog post.
The company analysed that the attack was only possible because it uses upgradable contracts that rely on a single ‘owner account’ which has the sole authority to deploy upgrades. Now Ankr will implement multi-signature authentication for smart contract upgrades that will require the transaction to be signed by all deploy key custodians during time-restricted intervals. This feature will improve security for the ankrBNB and ANKR tokens.
At the time of writing, ANKR is trading at $0.017 – down 0.2% in the last 24-hours.