Fallout From the BNB Bridge Hack

Two of the first researchers to discover the Oct. 6 BNB bridge hack have shared lessons learned from the exploit, along with further details on how it went down, in interviews with BSC News. Meanwhile, the BNB Smart Chain (BSC) implemented a hard fork to patch the exploit on Oct. 12 at about 9 a.m. UTC.

Zane Huffman, Head of Strategy at Vesper and Co-Founder of Governor DAO, chronicled the exploit in real-time on Twitter soon after it began, while H Xie, CEO of security firm Ancilia, Inc. was among the first to notice the hack via the company’s blockchain security monitoring system.

Huffman said the response from BNB Chain to the hack wasn’t as fast as he would have expected.

“I'm not sure how long it took them from initial alert. But it was several hours since the hack began. That's better than some largescale hacks but we also hear stories about budding hacks being stopped immediately,” he told BSC News. “I feel like Binance should have some alerts going off right when that initial 1,000,000 BNB withdrawal took place. If they saw it immediately and still spent several hours until shutdown, that doesn't seem like a super fast response.”

For BNB Chain’s part, Xei said that there has never been an exploit like this before to his knowledge, meaning it may have been harder to detect.

“Blockchain is still in its earliest stage, and a lot of the infrastructure is not ready, specifically on the security side. People still mostly rely on security code audits to ensure their protocol’s safety,” he told BSC News. “The capability to take action during or immediately after a hack like this one that affected all BNB owners and BSC users are necessary. If anything, this case demonstrates the need for more security tools and infrastructure ...”

Huffman noted that although the more centralized nature of the BNB Chain may have actually helped this time by enabling the organization to shut down the chain more quickly, attackers will probably move faster next time.

“The degree of centralization probably correlates to the reaction time: more decentralized = longer reaction time. So it was good this time,” Huffman said. “But in the future, if a similar attack were to occur, the attacker probably would route funds off of BNB Chain faster.”

He added that the hacker(s) could have chosen much faster ways to route funds than they did and that if their mission was to get away with as much money as possible, they seemed to waste a lot of time with a calculated but ultimately very inefficient strategy.

“It seems to me like they thought they'd have more time to covertly move everything,” he speculated. “Once alerts start flying, they seem to move much more frantically, taking on huge slippage dumping BNB through PancakeSwap, for example.”

Xei agreed that the follow-through strategy of the hacker(s) was odd given how sophisticated the initial hack was.

“The sophistication of the hack and how it was carried out makes us believe that the hacker is smart and the hack is well planned, but on the other hand, we believe the money exfiltration is not as quick and sophisticated as exhibited in previous hacks,” he concluded.

Fortunately, other blockchains don’t have to worry about similar exploits, according to Xei, since the bug existed only on BSC and was specific to the BSC Token Hub bridge.

Despite the BSC bridge hack being the third largest blockchain-related hack in history, it dropped the price of BNB by only a few percentage points at the time, underscoring the lack of interest markets seem to have in the ongoing barrage of hacks plaguing Decentralized Finance (DeFi) projects lately.

This lack of reaction may be a result of markets having already priced in the relative newness of the technology and the resultant security risks. Xei, for one, stressed that Web3 is still in its early days, especially in the area of security.

“Any code, no matter how many times you have done code audits, is still potentially vulnerable, as many hacks have demonstrated,” he said.

Xei suggested the number of hacks can be reduced if the blockchain community evolves its practices to include:

• A mindset shift towards security by design.
• The adoption of monitoring/alerting systems such as Ancilia’s.
• Preventative mechanisms built into protocols so that the loss and damage can be reduced to a minimum when hacks do happen.
• More collaboration between projects to build a wider security ecosystem to fight back against hackers.

BSC Patches Exploit With Hard Fork

BNB Chain acknowledged that about $100 million remained unrecovered in an Oct. 11 post on its website. The message also referenced a hard fork to take place on Oct. 12 to patch the BSC Token Hub bridge exploit at block height 22,107,423 at about 8 am UTC.

Details of the v1.1.16 hard fork, dubbed Moran, were released by Binance in an Oct. 11 announcement as well as on the BNB Chain GitHub page.

Binance wrote in its announcement that the “BNB Smart Chain (BEP20) network upgrade and hard fork will not result in new tokens being created.”

At about 10:30 a.m. UTC on Oct. 12, BNB Chain said on Twitter that the upgrade had been completed.