Binance Smart Chain
https://twitter.com/peckshield/status/1578144162045898752 https://twitter.com/0xfoobar/status/1578140914283065344 https://twitter.com/cz_binance/status/1578171072067031042 https://www.reddit.com/r/bnbchainofficial/comments/xxjkpy/temporary_pause_of_bsc/ https://twitter.com/samczsun/status/1578172227400310786 https://twitter.com/CertiKAlert/status/1578253116415295489
Days in Operation:
BNB Chain is a global, decentralized network with developers, validators, users, HODLers and enthusiasts. BSC Token Hub is the bridge between BNB Beacon Chain (BEP2) and BNB Chain (BEP20 or BSC).
Peckshield Alert reported a major drain of funds from BNB (BSC) Token Hub. Apparently, two huge reward claims with each claiming 1M BNB and in total ~$586M rewards are claimed from its token hub.
CZ of Binance posted a follow-up that the exploit was on a cross-chain bridge, BSC Token Hub, that resulted in extra BNB. Chain validators was suspended and according to CZ, the current estimates for funds taken off BSC Token Hub are between $100M - $110M, or $51 million going to Ethereum and $48 million to Fantom (https://twitter.com/CertiKAlert/status/1578300670544936960/photo/1). After the restart of the bridge, the remaining funds that have yet to be transferred are now blacklisted, thus are not available to be transacted. Accordingly, the loss amount from this incident is limited to the $110M.
Samczsun provided a rough analysis at a high-level that the exploiter was able to convince BSC to send 1M BNB twice by forging the proof. BSC Token Hub uses a special pre-compiled contract for validating IAVL trees when performing cross-chain transaction verification. There is a bug in its implementation which may allow an attacker to forge arbitrary messages.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.