The BNB chain-based Ankr defi protocol has suffered a significant exploit as a result of a major bug in its code that allowed for limitless minting of its token. The team has already confirmed this on Twitter and stated that none of the infrastructure services was affected and that all staking assets remained secure.
The Ankr contract’s code, according to security analytics company PeckShield, reportedly permits any user to create an infinite number of the protocol’s reward-bearing staking tokens without verification. This made it possible for the attacker to issue six quadrillion aBNBc tokens.
Our analysis shows the $aBNBc token contract has an unlimited mint bug. Specifically, while mint() is protected with onlyMinter modifier, there is another function (w/ 0x3b3a5522 func. signature) that completely bypasses the caller verification to have arbitrary mint !!! https://t.co/h51e7xpcVf pic.twitter.com/caRgasNNHq
— PeckShield Inc. (@peckshield) December 2, 2022
The attacker was able to exchange 20 trillion of the aBNBc token for BNB after creating the quadrillions of aBNBc. According to a Twitter tweet from another on-chain analysis firm Lookonchain, the exploiter has subsequently swapped and obfuscated the funds using services like Uniswap, Tornado Cash, and different bridges to earn about $5 million in USD Coin (USDC).
The platform’s Ankr Reward Bearing Staked BNB (aBNBc) has dropped by more than 99% since the attack. According to Coinmarketcap data, the token has fallen from over $300 to just $1.5 in the last 24 hours, although with a trading volume of 14,138% at press time.
Ankr Asks for Immediate Withdrawal Halting
The platform acknowledged the exploitation of the decentralized finance protocol while also confirming the exploitation of its Ankr Reward Bearing Staked BNB (aBNBc) coin.
All underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.
— Ankr (@ankr) December 2, 2022
They said they were currently working with exchanges to immediately stop trading. The CEO of Binance, CZ confirmed that his exchange had paused withdrawals and also froze about $3m that hackers moved to the platform.
“We are currently drafting a plan and we are committed to compensating affected users,” Ankr Tweeted.
The team, who also pledges to reissue the almost zeroed aBNBc, encourages users not to trade and, if they are liquidity providers, to remove liquidity from DEXes.
On the other hand, an opportunistic trader profited from the exploit and converted 10 BNB ($2,885) into 15.5 million BUSD. The trader achieved this by using Helio, a DeFi lending protocol, which did not have accurate pricing for aBNBc post-crash.
The trader was also able to borrow $16 million of the seldom traded HAY stablecoin and convert it into BUSD by using the pre-crash aBNBc price. This has knocked the HAY stablecoin off its peg, falling as low as 20 cents, but is presently recovering again, with a price of 63 cents, according to CoinMarketCap.