Cross-chain staking platform Ankr and lending firm Helio protocol got hacked early Friday for around $20 million. Crypto exchange Binance was able to rescue $3 million of the stolen funds.
Ankr Suffers $5M Exploit
According to blockchain security firm PeckShield, the attacker likely deployed a bug into Ankr’s token contract. The bug sparked an unlimited mint of aBNBc, a reward-bearing token for the Ankr ecosystem. The token is designed to be pegged to the price of the Binance coin, BNB.
The exploiter was able to mint over 6 quadrillion aBNBc tokens. From the minted tokens, the bad actor moved 20 trillion aBNBc tokens, which eventually got swapped for BNB. The BNB tokens were later swapped for $5 million worth of USDC.
Since the occurrence of the exploit, the aBNBc token has been severely impacted. At press time, the token traded at $1.5, representing nearly 100% of its initial value which was pegged to BNB.
Helio Protocol Sees $15M Loss
Shortly after the Ankr exploits, a user with a different wallet address (0x8D11…) conducted another DeFi attack. This time, HAY, the stablecoin for the BNB Chain-based Helio protocol, was the victim.
The user exchanged 10 BNB for over 183,000 aBNBc. The attacker then performed several actions that brought $15 million worth of HAY into their purse. The attacker likely capitalized on the fresh exploits on Ankr, thereby manipulating the oracle system on Helio protocol. The price oracle is responsible for giving up-to-date prices for assets to the network.
Following the attack on Helio, its stablecoin HAY dropped rapidly to a trading price of $0.2. The token is currently recovering from the attack as it holds a trading price of $0.6.
Binance and Ankr Comments
The Ankr team acknowledged the attack on its platform and published a Twitter thread showing its plan to combat the issue. The team noted that it was in collaboration with exchanges to halt trading of the aBNBc token.
Following their announcement, Changpeng Zhao (CZ), the CEO of the leading crypto exchange Binance, noted that his company paused withdrawals of the aBNBc token. He added that the company had retrieved $3 million worth of stolen assets that got sent into Binance.
Possible hacks on Ankr and Hay. Initial analysis is developer private key was hacked, and the hacker updated the smart contract to a more malicious one. Binance paused withdrawals a few hrs ago. Also froze about $3m that hackers move to our CEX.
— CZ ???? Binance (@cz_binance) December 2, 2022
Ankr has now proposed a comeback plan. Based on a snapshot of their available wallet balances, it will reissue another token called ankrBNB to all aBNBc holders. It added that the aBNBc token will no longer be redeemable.
The cross-chain staking platform also mentioned that it will “compensate in totality” its liquidity providers who were affected by the attack. The project seeks to achieve this through the purchase of $5 million worth of BNB.
