A hole in the code of another blockchain bridge has been exploited for big profits as Binance suffered a breach that led to a loss of $566 million. The amount stolen is close to the record for crypto hacks, set just a few months ago with another bridge attack, but this incident is perhaps even more noteworthy as Binance is the world’s biggest crypto exchange by trading volume.
The platform has already mostly recovered from the incident, halting trading only for a time on October 6, and its patrons did not lose personal funds as it targeted a coin minting system rather than user wallets. However, the company has taken substantial financial damage from the incident and its BNB coin has dropped in value.
Regulations could be coming as crypto hacks keep making news
Decentralized finance is under serious threat from these crypto hacks, and not just in terms of financial risk. Perhaps the greatest risk is the changing of the entire ecosystem away from the mostly government-free frontier that currently exists, as investors lose their appetite for coins that can easily be stolen or devalued and find themselves more open to regulation and oversight.
The Binance incident joins similar crypto hacks in roughly the past year on the Poly Network, Wormhole Bridge, Nomad Bridge and Ronin Bridge; all of these incidents involved thefts of several hundred millions of dollars. And while the largest (the Ronin Bridge attack) was the result of elaborate social engineering by an elite North Korean state-sponsored hacking team, the rest involved unknown parties poking around in code and finding major vulnerabilities.
Binance crypto hack halts trading for part of a day, but user wallets unscathed
Decentralized bridges have been the main targets for crypto hacks that offer huge sums of money in one quick strike; the attackers generally focus on obtaining access to the majority of validators, which allows them to mint coins or approve transactions to quickly drain the bridge’s stored funds used for facilitating coin exchanges. In this case, the Binance Smart Chain Token Hub bridge had a vulnerability that involved using prior legitimate proof messages to forge new ones.
While the attackers minted over $560 million in total, they did not abscond with the full amount. They got away with about $110 million (mostly exfiltrated to Tether and USD Coin) before the wallet they were generating coins to was frozen, trapping about $430 million of the plunder beyond anyone’s reach. The Binance platform validators are set to take a vote on what will ultimately happen to the frozen funds.
Binance’s BNB coin dropped 4% with the initial news of the crypto hack and has since continued to trend downward. The platform is looking to restore user confidence with new governance protocols and a boost to the number of active validators. Binance has also made clear that it is open to regulation for some time, first taking a public position in favor of more government involvement in 2021.