According to the initial timeline combed by Supremacy:
At 00:55 on October 7, 2022, Beijing time, the hacker paid 100 BNB to register as a Relayer by calling the contract 0x0000000000000000000000000000000001006 ( BSC: Relayer Hub ) at block height 21955968 .
At 02:26, the hacker launched an attack at block height 21957793 by calling the contract 0x00000000000000000000000000000000002000 ( BSC: Cross Chain ), and the attack made a profit of 1 million BNB.
At 04:43, the hacker launched another attack at block height 21960470 by calling the contract 0x0000000000000000000000000000000002000 ( BSC: Cross Chain ), and the attack made another 1 million BNB.
The hacker obtained (minted out of thin air) 2 million BNB from the BNB Chain Token Hub system contract twice, and mortgaged 900,000 BNB on the BNB Chain lending protocol Venus, lending 62.5 million BUSD and 5,000 BNB. 10,000 USDT, 35 million USDC.
Supremacy said that as of the time of publication, we believe that there is a problem with the Merkle tree verification of BSC, and the analysis is still in progress.
According to Paidun, BNB Chain attackers have transferred about $89.5 million of stolen funds to other chains (non-BNB Chain), about 58% of the funds have been transferred to Ethereum, about 33% of the funds have been transferred to Fantom, and about 4.5% of the funds have been transferred. Enter Arbitrum.
Tether quickly blacklisted 4.8 million USDT on Ethereum (and subsequently blacklisted 1.7 million USDT on AVAX). BNBC hain announced that the chain will be suspended. “We are asking BSC validators to contact us within the next few hours so we can plan node upgrades.”
According to CZ, the BSC Token Hub is a bridge between the BNB Beacon Chain (BEP2) and the BNB Chain (BEP20 or BSC). The amount currently affected is estimated to be around $100 million. Analysts pointed out that although the outflow amount is not large due to the timely suspension of BNBChain, it will also face an embarrassing situation in the future. If the hacker does not take the initiative to deal with it, the problem of how to deal with the amount that stays in BNBChain will inevitably lead to centralization/decentralization. controversy.
Cosine, founder of SlowMist , commented: From the perspective of theft and currency washing methods, this wave of hackers started quickly and accurately. Maybe Binance also started quickly and accurately (suspend BSC, cooperate with Tether, etc. to freeze related funds). “This wave of hackers is not easy… Let’s see if we can trace the identity of the hackers this time.” However, the Chinese community has also criticized this, because BNBChain did not choose a similar centralized approach to the previous cases of currency theft.
According to SlowMist, the hacker’s initial source of funds was ChangeNOW, and the hacker’s address had interacted with multiple DApps, including Multichain, Venus Protocol, Alpaca Finance, Stargate, Curve, Uniswap, Trader Joe, PancakeSwap, SushiSwap, etc.
(Currently, the distribution of hacker profits, from SlowMist)
Analyst @samczsun posted a post explaining how hackers used Binance Bridge to steal BNB. The attacker stole 1 million BNB twice, but the height used was 110217401, which was much lower than the normal height. Furthermore, the proof submitted by the attacker is shorter than the legitimate proof, showing that the attacker forged the proof for that particular block. The specific method is to add a new leaf node when the COMPUTEHASH function generates a hash, and then create a blank internal node to satisfy the prover, and exit early after finding a matching hash with the internal node. So far, only two fake verifications have been generated in this way.
“In conclusion, there is a bug in the way Binance Bridge verifies proofs that could allow an attacker to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been much worse.”