The BNB Chain was temporarily paused after an exploit on its cross-chain bridge. The current impact estimate is around $100 million and $110 million equivalent of cryptocurrency.
According to the latest update, the BNB Chain has resumed working as usual, but let’s have a look at how the hack went down, according to a popular researcher.
Paradigm Researcher Sam Sun stated that the attacker somehow convinced the Binance Bridge to send out 1 million BNB to an address they controlled. They repeated the step twice. After comparing the attacker’s transactions with legitimate withdrawals, Sun noticed that the height used by the attacker was always the same – 110217401. However, the heights used by legitimate withdrawals were much bigger, such as 270822321, the researcher pointed out.
He further noted that the attacker’s proof was notably shorter than the legitimate withdrawal’s proof, meaning that they had found a way to “forge a proof” for that specific block – 110217401.
Binance has a special precompile contract that is used to verify IAVL trees. When a user verifies an IAVL tree, they need to specify a list of “operations.” The Binance Bridge typically expects two of them: an “iavl:v” operation, and a “multistore” operation, Sun specified. The attacker managed to exploit the bug in the Binance Bridge that verified proofs allowing attackers to forge arbitrary messages.,
While the attacker only forged two messages, the researcher claimed that the damage could have been far worse.
The Same Dilemma
Binance CEO Changpeng Zhao confirmed the exploit after the validators were asked to temporarily suspend BSC and revealed that the issue had been contained.
“Initial estimates for funds taken off BSC are between $100M – $110M. However, thanks to the community and our internal and external security partners, an estimated $7M has already been frozen. We are humbled by the speed and collaboration from the community to freeze funds.”
The latest BNB Chain exploit and the subsequent steps taken by Binance may have controlled the damage, but the community faces the same dilemma surrounding decentralization once again. Bartek Kiepuszewski, MakerDAO’s blockchain architect, expressed a similar sentiment in his tweet regarding the same,
“do we want a simple bridge but with trusted validators that can censor, freeze or seize funds or do we want trustless but significantly more complicated infrastructure?”
The post Here’s How the Multi-Million BNB Chain Hack Went Down: Paradigm Researcher appeared first on CryptoPotato.