Exploiting Loophole In Blockchain Bridge Used in Binance’s BNB Chain

 



Cryptocurrency exchange Binance temporarily halted its blockchain network on Thursday in response to a cyberattack that led to the theft of two million BNB tokens, notionally exchangeable for $566 million in fiat currency.

The shutdown, requiring the cooperation of 26 validators to close the decentralized system, occurred around 2200 UTC on October 6, as a result of the exploitation of the BSC Token Hub bridge, which connects the BNB Beacon Chain and the BNB Smart Chain so tokens from different blockchains can be exchanged.

"There was an exploit affecting the native cross-chain bridge between BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC), known as 'BSC Token Hub,'" said Din (Dardania) Havolli, content lead for BNB Chain, in a blog post. "A total of two million BNB was withdrawn. The exploit was through a sophisticated forging of the low level proof into one common library."

Binance, registered in the Cayman Islands, is the largest cryptocurrency exchange by volume.

Security firm SlowMist says that the crypto-robbers have moved about $110 million off the BNB chain to other blockchains. The suspension of the network kept about $430 million worth of BNB tokens from being transferred and those tokens appear to remain trapped in the thieves' digital wallet. The BSC Token Hub resumed operations around 0630 UTC on October 7.

The heist is the latest in a long series of hits on blockchain bridges, systems that allow transactions via so-called smart contracts across different blockchains. There was the $191 million looting of Nomad in August. Before that, there was Ronin Bridge ($600 million); Qubit Bridge ($80 million); Wormhole Bridge ($320 million); Meter.io Bridge ($4.4 million); and Poly Network Bridge ($610 million that was returned).

The Ethereum documentation on blockchain bridges warns that bridges are relatively new and carry risks. These include: "the risk of a bug in the code that can cause user funds to be lost," and the possibility of "software failure, buggy code, human error, spam, and malicious attacks can possibly disrupt user operations."

The documentation turns out to be correct.

 While investigations are still at a preliminary stage, it appears that the attacker was able to forge proof messages that were then accepted by the BSC Token Hub bridge, said Ronghui Gu, CEO and co-founder of CertiK, a blockchain security firm, in a statement provided to The Register. This bug seems to be the result of the bridge not fully verifying the Merkle proof to the root hash, which allowed the attacker to generate forged proofs from a previous, legitimate one and then mint BNB directly to their wallet.

Paradigm Researcher Sam Sun, who analyzed the attack in a Twitter thread, concluded there was a bug in the way that the Binance Bridge verified proofs that allowed attackers to forge arbitrary messages.

Changpeng Zhao, Binance’s CEO, reiterated the apology in Havolli's post and claimed everyone's money is OK. "The issue is contained now," he said via Twitter. "Your funds are safe.

0 Comments