Following the recent attack that hit the Ankr exchange, the security team has issued an update on the malicious event. They stated that the attacker used a mint bug in the platform’s smart contract code to mint millions of aBNBc while bypassing verification.
Ankr disclosed what happened during the attack
Earlier yesterday, the Ankr centralized exchange discovered malicious activity, leading them to halt some operations temporarily. However, before they could apply prompt security measures, they had already incurred a loss of $5 million in BNB.
After several hours of investigation, the Ankr security team eventually fished out the root cause of the attack. According to them, the attacker maneuvered to access the developer’s private key. He then used it to attack the platform’s aBNBc smart contract via a bug in its code.
Furthermore, using the loophole, he created a new aBNBc smart contract which allows infinite minting of BNB without the standard verification procedure. After that, he minted the token in excess and swapped them for USDC stablecoin. He then moved his loot to decentralized platforms like TornadoCash, Uniswap, and others before being discovered.
According to the Ankr security team, the attacker minted about 60 trillion BNB liquid staking tokens (aBNBc). In addition, the platform incurred a total loss of $5m.
Ankr restores security and plans to compensate victims
To calm its agitated users, the platform’s CEO, Chadler Song, stated that the attack solely affected aBNBc, and other tokens were safe. He added that to mitigate the loss, they have immediately disabled the aBNBc and aBNBc smart contracts to create new ones soon.
Also, the founder assured users that they had implemented prompt security actions to secure users’ funds and prevent further attacks effectively. Additionally, the platform has renewed the affected smart contract’s private key to prevent other third-party access.
Furthermore, Chadler explained that his team works diligently to identify the victims whose stakes were stolen in the attack. After proper identification, they would compensate them according to their loss.
In alignment, Ankr planned to buy BNB tokens worth $5 million to back its compensation mission. Users of the attacked aBNBc and aBNBb liquidity pools would receive airdrops of the new smart contract token the platform plans to create.
And lastly, the CEO warned users to stop buying or selling the aBNBc smart contract tokens. The investigation continues as the security team continues to track the attacker.