Ankr provided an update to its community a few days ago regarding the exploit it experienced earlier this month. In its blog post, Ankr revealed that it identified a hack on Dec. 1st, in which malicious actors accessed the developer’s private key and altered the smart contract for its BNB liquid staking token (aBNBc).
Following its internal research and assessment, Ankr reported that it lost $5m worth of BNB across liquidity pools in various DEXes. The team said it had already restored security and would promptly compensate affected liquidity providers.
While commenting on this latest development, Chandler Song, Co-Founder & CEO, Ankr, said;
“Thanks to the fast actions from the Ankr team and various protocols, we were able to minimize any damage done extremely quickly. Hacks and exploits from bad actors like this are an unfortunate possibility in Web3, even with every attention to detail in security processes – but we were well prepared. Unlike previous events in the space this year, we are doing the right thing by our community and ensuring that this is taken care of immediately with lost funds restored.”
Here Is What Happened
Ankr explained that the attacker was able to take advantage of the smart contract for the aBNBc token to create an infinite amount of this token and then exchange it for USDC.
While the aBNBb smart contract was safe from third-party minting prior to the attack, the attacker was able to obtain access to the deployer key. This allowed the hacker to upload a new aBNBb contract that included an extra method to mint without authorization checks.
The hacker proceeded to mint an excess of aBNBb out of thin air and rapidly moved to swap it out for other tokens on decentralized exchanges. The attacker minted a total of 60 trillion aBNBc across 6 different transactions. The attacker was able to swap some for the stablecoin USDC and began moving them off of the Binance Smart Chain and onto Ethereum before the transactions were flagged.
As a result, the Ankr network lost $5 million worth of BNB during the attack. However, it assured its community members that no other liquid staking tokens or Ankr products have been affected. Furthermore, Ankr’s validators, RPC API, and AppChain services continue to operate without any disruptions.
During the attack, Ankr said it alerted known off-ramps to implement their emergency plans (minimum: halt trading), secured the smart contracts with a new key to preventing any further tampering, and updated smart contracts and systems to temporarily pause the movement of the underlying collateral (BNB) to be safe.
Ankr Is Working To Resolve The Flaw
The team at Ankr pointed out that it is working hard to resolve this issue completely and efficiently. Ankr is identifying all those who provided liquidity to DEXes and all protocols supporting aBNBc or aBNBb LP, as well as aBNBc collateral pools (Midas, Helio), and we will notify all affected parties.
Furthermore, the team will purchase $5 million worth of BNB and use this to compensate the liquidity providers affected by the exploit. Finally, Ankr said they would discontinue aBNBc and aBNBb tokens effective immediately, and new ankrBNB tokens will be minted and airdropped to affected aBNBc and aBNBb users.
Ankr has urged its users not to trade aBNBc or speculatively buy it at a discount until the issue is resolved. Users are also urged to wait for the ankrBNB airdrop, which will be proportional to the amount of aBNBc and aBNBb that you held. ankrBNB will be redeemable against staked BNB.
The team concluded that all necessary precautions are being taken to promptly resolve the situation and restore lost capital.