Ankr, a web3 infrastructure project on BNB Chain, has suffered a major exploit with an attacker minting and dumping millions worth of its wrapped BNB token, aBNBc.

On Dec. 2, Nansen, an on-chain analytics provider, flagged that six quadrillion aBNBc had been abruptly minted.

It adds that the hacker is racing to offload the tokens onto BNB Chain-based decentralized exchanges, using the network's deployment of Tornado Cash — a crypto mixing protocol designed to obfuscate the transaction history for digital assets — to move their illicit gains to the Ethereum network.

LookonChain, an on-chain analytics firm, also tweeted that the hacker made off with at least $5M in profits.

The Attack and the Responses

The attack was discovered by on-chain security analyst PeckShield at approximately 12:35 am UTC on Dec. 2.

Within an hour of the attack, Ankr confirmed on Twitter that the aBNB token had been exploited and that they're working with exchanges to halt trading of the compromised token immediately.

"Our aBNB token has been exploited, and we are currently working with exchanges to halt trading immediately."

The attacker was purportedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), a reward-bearing token for BNB staked on the protocol.

According to a Twitter post from on-chain analysis firm Lookonchain, the exploiter has since used services such as Uniswap, Tornado Cash, and various bridges. This is a way of helping them swap and obfuscate the funds to gain around $5 million worth of USD Coin.

Ankr said it is working with exchanges to halt trading for the aBNBc token.

"All underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected," it added.

Different Thoughts of the Attack

BowTiedPickle, a smart contract developer, suggested that the incident was either an inside job or resulted from Ankr's deployer key becoming compromised.

"[He] deployed an attacking contract, changed the upgradeable aBNBc contract to the malicious implementation, then called the 0x3b3a5522 function to mint 10,000,000,000 tokens to his wallet," the developer said.

Beosin also noted that the mass minting episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap.

In a Dec. 2 Twitter post, crypto exchange Binance confirms that its team is engaging with relevant parties to investigate the matter further, adding that Binance's user funds are not at risk. The BNB Chain Twitter page also states that the exploiter's wallet address has been blacklisted.

We hope the attack does not affect trading and customers' assets.