On October 7, 2022, according to public opinion monitoring of the Chengdu Lianan Hawkeye-Blockchain Security Situational Awareness Platform, the BNB Chain cross-chain bridge " Token Hub " ( Token Hub ) was attacked by hackers. Due to the large amount of money involved, And it involves cross-chain between multiple chains. According to the collation and tracking of the security team of Chengdu Chain Security, it is currently sorted out that 710 million US dollars are stolen assets on the Binance Chain that do not involve cross-chain parts, plus the stolen assets of the cross-chain part. Theft of assets, we initially estimate that the amount involved is around 850 million.
Why did this "attack" event that shocked the entire industry occur? Regarding this event, the security team of Chengdu LianAn immediately analyzed it.
1 How BNB Chain was targeted by hackers
At around 6:00 on October 7th, Beijing time, BNB Chain tweeted that due to abnormal activities, it is currently under maintenance and temporarily suspends all deposits and withdrawals through the BNB Chain until further updates.
BNB Chain stated in another tweet that about 70 million to 80 million US dollars of funds were withdrawn, and 7 million US dollars had been frozen.
At 7:41, Binance CEO Changpeng Zhao tweeted that a loophole in the BNB Chain cross-chain bridge " Token Hub " ( Token Hub ) led to additional BNB , and all verifiers have been asked to suspend the BNB Chain. Got under control, funds are safe, further updates will be provided accordingly.
This time, hackers once again focused on the cross-chain bridge. Because of the complexity of the cross-chain bridge and the accumulated huge wealth, the cross-chain bridge often becomes the primary target of hacker attacks. For the details of this attack, let’s look down .
2 Attack time and hacker technique analysis
At 0:55 on October 7, the hacker paid 100 BNB to register as a relayer by calling the contract at block height 21955968.
Beginning at around 2:30 in the morning, hackers obtained a total of 2 million BNB from BNB Chain 's " TokenHub " system contract in two phases ( 2:26 , 4:43 ) . Among them, 900,000 BNB will be mortgaged on Venus, a lending agreement on the BNB Chain, and 62.5 million BUSD, 50 million USDT, and 35 million USDC will be lent.
Chengdu Lianan security team will now analyze the method as follows:
Binance cross-chain bridge BSC Token Hub uses a special pre-compiled contract to verify the IAVL tree when verifying cross-chain transactions. However, there is a loophole in this implementation, which may allow an attacker to forge arbitrary messages.
1) The attacker first selects the hash value of a successfully submitted block (specified block: 110217401)
2) Then construct an attack payload as a leaf node on the verified IAVL tree
3) Add an arbitrary new leaf node to the IAVL tree
4) At the same time, add a blank internal node to satisfy the realization proof
5) Adjust the leaf node added in step 3 so that the calculated root hash is equal to the correct root hash selected in step 1 for successful submission
6) Finally construct the withdrawal proof of this specific block (110217401)
Of course, there are some details that need to be further refined. Chengdu Lianan security team is conducting in-depth research, and the results will be shared with you as soon as possible.
The security team of Chengdu Lianan tracked and analyzed the stolen funds through the Lianbizhui - Virtual Currency Case Intelligent Research and Judgment Platform , and found that a total of 143.57 million US dollars of stolen funds were transferred through cross-chains (including loans). Among the stolen funds, US$77.39 million was transferred to Ethereum through various cross-chains, US$58.96 million remained in the FTM chain (including various gUSDT), US$4 million was in the Arbitrum chain, and US$1.72 million $400,000 in Polygon and $1.1 million in Optimism.
Lianbizhui-intelligent research and judgment module of virtual currency case intelligent research and judgment platform
Lianbizhui-address analysis module of intelligent research and judgment platform for virtual currency cases
Lianbizhui-fund analysis module of intelligent research and judgment platform for virtual currency cases
Chengdu Lianan security team conducts fund statistics based on the Lianbizhui platform
3 Is BNB Chian still safe after recovering blocks?
At around 9:30 on October 7, BNB Chain officially posted on social media that it has asked BNB Chain node verifiers to contact them in the next few hours so that they can plan for node upgrades.
At 13:00, BNB Chain tweeted that the BSC v1.1.15 version has been released, and BSC validators are coordinating to seek to restore the BNB Smart Chain (BSC) within 1 hour. The new version will block activities related to hacked accounts. Native cross-chain communication between the BNB Beacon Chain and the BNB Smart Chain has been disabled. The official request for all node operators to try to upgrade to the above version. Validators and the community will discuss further upgrades to fully address this issue.
At around 3:00 p.m., BNB Chain tweeted that the BNB Smart Chain (BSC) started running well more than 20 minutes ago. Validators are confirming their status, and the community infrastructure is being upgraded. In addition, BscScan data shows that the BNB Chain network has resumed block production.
The monitoring of the security team of Chengdu Chain Security shows that after restarting, the current BSC node program prevents the flow of stolen funds and potential attacks by blacklisting and suspending the iavlMerkleProofValidate function.
4 Written at the end, discussing the security of cross-chain bridges
Since the blockchain has gone through a long period of development, both the blockchain project itself and the blockchain security company have paid more attention to security than before, but the code of the cross-chain bridge is complex and contains off-chain Some projects are very vulnerable to attack.
Cross-chain bridges are usually large projects with a large amount of code. The combination of multiple links is prone to some combined vulnerabilities. However, these vulnerabilities are relatively hidden and easy to be exploited by hackers. Another high-risk point of the cross-chain bridge is off-chain security. Since the off-chain code is generally audited separately from the on-chain code, and the project party usually guarantees security, many loopholes are overlooked.
In the past, there were many cross-chain bridge attacks through offline vulnerabilities or private key leaks. This attack constructed a specific root hash to construct a withdrawal certificate for a specific block, so that the attack was established and the attack The difficulty is relatively high, and the amount is relatively high compared to the past. This incident also reminds us that the loopholes are often in some unexpected places, so we can only continue to improve project security and discover these problems earlier than those with ulterior motives, so as to better maintain our blockchain ecological security.
As a world-leading blockchain security company dedicated to the construction of blockchain security ecology, Chengdu Lianan is also the first company to apply formal verification technology to blockchain security. Chain enterprises have established in-depth cooperation; provided security audit and defense deployment services for more than 2,500 smart contracts, more than 100 blockchain platforms and landing application systems around the world. Chengdu Lianan also has the ability to combat virtual currency crimes and anti-money laundering technical services across the entire chain. It has provided law enforcement agencies such as public security with more than a thousand times of full-chain technical support services before, during and after the case, including several incidents that entered the currency mixer platform Tornado Cash. Successfully assisted in the cracking of cases involving tens of billions of dollars.