Attacker Steals $570 Million in BNB Tokens in BNB Chain Exploit

BNB-Chain-Binance-269737703

Binance’s token bridge between the BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC) became the latest target of a bridge exploit. The attackers made off with $570 million in BNB tokens, forcing Binance to suspend deposits and withdrawals until it had a more complete picture of what happened. Binance has said very little about it except to confirm that it paused BNB Chain.

Most cross-chain bridges make it possible to exchange an asset on one blockchain for a “wrapped” or “staked” token on another blockchain. Then they can trade or use the wrapped/staked asset like they would the original asset.

Tokens with trading symbols like “WETH,” “stETH,” and “WBTC” are all “stand-in” assets on blockchains other than the original asset’s blockchain. WBTC, for instance, is “Wrapped Bitcoin,” an ERC-20 token on the Ethereum blockchain that can theoretically be traded 1:1 for BTC on the original Bitcoin blockchain. (Yes, they do sometimes deviate than the 1:1 target peg in trading.)

This comes with the assumption that they can swap the token back for the original asset when they’re ready. The problem, of course, is that the bridge might not have enough of the original asset to swap back if it got exploited like Binance’s bridge, the BSC Token Hub, did on October 6, 2022.

Binance had to reach out to 26 validators across 44 time zones to coordinate shutting down the BNB Chain. Yes, there are really that many time zones, and that meant it took time to get them all shut down. Binance says the closure helped minimize the loss despite the delays.

It also took a bit to pin down how much the attackers stole. Initial estimates placed it at $70 to $80 million, with $7 million of the stolen funds quickly frozen. Then Binance CEO Zhao Changpeng said the losses were probably closer to $100 million.

The blockchain freeze may have also kept losses in BNB’s value from getting worse. BNB dropped from $293.13 to $280.04 during the evening of October 6. It is currently trading at $281.71.

Binance says it will hold on-chain governance votes to determine the next steps, including freezing stolen funds and using “BNB Auto-Burn” to get rid of the remaining stolen funds. BNB Auto-Burns normally destroy BNB tokens, with the amount of destroyed tokens being based on its price and the number of blocks that are generated each quarter.

It will also hold a governance vote on whether to offer a “White Hat” bounty of $1 million for finding bugs and a bounty of up to 10% of the stolen funds for catching attackers.

Cross-chain bridges seem to be particularly vulnerable to exploits. Chainalysis estimates that $2 billion in assets were lost to exploits as of August 2022, with most of those funds getting stolen this year. As of August 2022, 13 bridges had been exploited.

The blockchain-based game Axie Infinity lost $625 million in an exploit of Ronin Network validators. It says it regained $5.8 million of those funds. Chainalysis jumped on the case with its ability to track blockchain-based assets.

Axie Infinity brought in law enforcement officials, forensic cryptographers, and investors to help deal with the problem. The exploiters did move some funds to major exchanges, at least one of which promised to intercept funds sent through its exchange.

Why would anyone use a bridge if it’s that vulnerable? That’s a good question. Previously, there was no question that assets couldn’t move between blockchains. A bitcoin will always reside on the Bitcoin blockchain and will be lost if you try to send it to an address on another chain. (Do NOT try to send BTC to a BCH address, for instance!)

Users primarily like bridges because it’s a chance to quickly “send” their assets from one blockchain to another while technically not breaking any rules. The original asset is still there; it’s just being held by the bridge until somebody swaps back.

Bridges do offer some benefits in terms of speed, scalability, and transaction fees. During times of high congestion, Bitcoin and Ethereum transaction fees can soar due to limited space in each block. Instead of paying somebody in BTC, you could whip out your Ethereum wallet and pay somebody with a “wrapped” bitcoin – a bitcoin stand-in on the Ethereum blockchain.

The same goes for Ethereum; you could use a “wrapped” Ethereum token on the Solana blockchain instead of straight-up ETH – even though the Solana blockchain does sometimes freeze. The Wormhole bridge also got hit by attackers who stole $326 million in February 2022.

After the Wormhole exploit, Step Finance founder George Harrap worried that Wormhole’s version of wrapped Ethereum could become worthless – always a possibility with one digital asset that’s pegged to another asset, especially in the wake of an exploit that loses the bridge hundreds of millions of dollars.

(Yes, I know, Lightning Network, but the data must still be written to the Bitcoin blockchain at some point and the Lightning Network could still use some polishing. The good part is that developers are working through some line items that will hopefully make it work better.)

Cross-chain bridges do have their uses. However, no one really knows which ones might get hit next and it’s sometimes possible for some exploits to not be noticed until the damage has already been done. Ethereum co-creator Vitalik Buterin predicted in a Tweet and Reddit post that bridges weren’t exactly secure in January 2022 – a likely prescient statement.

Buterin said that the future was likely multi-chain but not cross-chain, which is not necessarily a bad thing. It just requires “diversifying your portfolio” with the native assets of different blockchains if you want to choose which one you want to use at any given time. That way, you’ll be less at risk if a random “wrapped” token completely tanks due to an exploit that the originating bridge can’t recover from.