BNB Chain Undergoes Hard Fork After $100M Exploit

Binance Smart Chain Will Support Cardano Liquidity Mining
Binance Smart Chain Will Support Cardano Liquidity Mining

A recent vulnerability in the BNB Chain has been successfully fixed with the Moran hard fork.

Attacker gets away with 100 million USD

The Binance Smart Chain was temporarily halted on October 6 after Binance noticed irregular activities on its smart contract platform. This was possible by contacting all of the BSC’s 26 delegated validator nodes, one by one, and asking them to suspend the blockchain.

It soon turned out that the irregular activity was the result of an exploit in which a total of 2 million BNB (~540 million USD) were created out of thin air. 

According to an analysis by Twitter user @samczsun, the attacker managed to forge a proof that he deposited the money into the BSC Token Hub, which bridges the legacy Binance Beacon Chain and the Binance Smart Chain.

In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse.

However, instead of dumping his ill-gotten BNB and immediately drawing suspicion to himself, he deposited them in several DeFi protocols on the BSC, to lend other tokens, which he then bridged off the BSC. It is estimated that the attacker stole over 100 million USD this way. 

After the attacker’s funds were frozen on BSC, the chain resumed its regular operations about eight hours later. 

Moran hard fork successfully activated

As a hotfix, Binance has released a network upgrade with version 1.1.16, which was activated via hard fork today at block height 22,107,423. The upgrade, dubbed Moran, fixes the vulnerability in the iavl hash check the attacker exploited to forge his deposit proofs. 

While no further action is required for regular BSC users, validator nodes should implement the upgrade as quickly as possible, unless they have already done so.