Cyber-criminals have stolen an estimated two million Binance coins (BNB) from a popular cross-chain bridging service, potentially landing them with a haul of over $570m at today’s exchange rates.
Twitter user @samczsun, a researcher at crypto investment firm Paradigm, explained in a thread on the social media site how the heist at Binance Bridge happened.
He claimed that the hacker managed to exploit a vulnerability in the way the bridging service validates “proofs,” enabling them to request one million BNB from Binance Bridge on two separate occasions.
“In summary, there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse,” said @samczsun.
More specifically, the hack impacted BSC Token Hub, which is the bridge between BNB Beacon Chain (BEP2) and BNB Chain (BEP20 or BSC), according to Binance CEO, Changpeng Zhao.
He explained earlier today on Twitter that the firm asked all validators to temporarily suspend BSC in order to contain the issue, claiming to users that their funds are safe.
Despite the huge potential value of the heist, it appears that the threat actor only managed to move a fifth or less of those funds off the BNB Smart Chain, thanks to the work of the crypto community.
“Initial estimates for funds taken off BSC are between $100m and $110m. However, thanks to the community and our internal and external security partners, an estimated $7m has already been frozen,” a Reddit post noted.
“We are humbled by the speed and collaboration from the community to freeze funds.”
Binance thanked the “quick and decisive actions” of various crypto stakeholders in helping to lock down these funds.