The world’s largest cryptocurrency exchange suspended trading on a smart contract blockchain after a hacker took at least $100 million in stolen cryptocurrency, reports Data Breach Today. Independent observers say the attack on the Binance Smart Chain actually netted the hacker $586 million.
Changpeng “CZ” Zhao, chief executive of Binance, says the company asked all validators to suspend BSC and is resolving the issue. “Your funds are safe. We apologise for the inconvenience,” Zhao tweeted. He linked to a Reddit post asserting that “the issue is contained now.” BSC uses a consensus mechanism requiring multiple validators to approve transactions. The BSC blockchain runs in parallel with the Binance Chain.
The attacker found a vulnerability on the BSC Token Hub, a cross-chain bridge, by exploiting the smart contract blockchain’s internal verification logic, which allowed for a “huge reward claim,” cybersecurity firm PeckShield told Information Security Media Group. PeckShield also estimates the total loss to be $586 million, saying that $89.5 million of the stolen funds have already been moved off the Binance Smart Chain.
The incident is the latest in a series of attacks on cross-chain bridges. Blockchain security company Chainalysis pegs the amount of cryptocurrency stolen from bridges this year at $2 billion. Attacks on bridges accounted for 69% of total funds stolen in 2022 through July, it says.
In a bid to address the vulnerability, Binance appeared to be working to fix the code with a node upgrade. “We request BSC Validators to get in touch with us within the next few hours so that we can plan a node upgrade,” Binance’s decentralised network BNB Chain tweeted.
It is unclear when the patch will be issued. “No ETA yet. Let’s give the devs time to fully understand the root cause, implement the fixes, test them thoroughly, and then resume. Let’s not rush it now,” he added.