BNB Chain, Binance’s native contracts blockchain, suspended operations today after discovering an exploit that saw a large number of new BNB assets minted. The company’s estimates said the impact was between U.S.$70-110 million in BNB—which it is working to identify and contain before the hacker can gain control of funds.
In just a few years, BNB has become the world’s fourth highest ranked digital asset (including Tether), with a market cap of U.S.$46.68 billion. BNB’s price dropped from $293 to $282 after the news broke, though, at press time, it had recovered slightly.
Binance founder and CEO Changpeng “CZ” Zhao said the exploit occurred on the BSC Token Hub cross-chain bridge, used for fast swaps between BNB Beacon Chain (BEP2) and BNB Chain (BSC). He also issued the now-customary “your funds are safe” assurance to users while promising the issue would be fixed and asking users to “please give the team some time”:
An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.
— CZ 🔶 Binance (@cz_binance) October 6, 2022
CZ added the amount of new BNB created was “about a quarter of the last BNB burn” if it is indeed ~U.S.$100 million. BNB Chain regularly “burns” assets (i.e., removes them permanently from circulation) to control supply. This may suggest the hacker used the burn process somehow to gain new BNB, though Binance is still investigating exactly what happened.
However, it is possible the total amount stolen or affected is much higher than Binance’s estimate. One investigator claimed the attacker was able to send two transactions of 1 million BNB (worth over U.S.$500 million) after finding a “critical bug” in the software.
Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I've been working closely with multiple parties to triage and resolve this issue. Here's how it all went down. pic.twitter.com/E0885Dc3lW
— samczsun (@samczsun) October 6, 2022
BNB Chain uses a “proof of staked authority” mechanism to validate transactions using a network of approved validators. When today’s exploit was discovered, Binance was able to send a quick message to those validators who responded by suspending their activities. BNB Chain developers thanked 19 authorized validators by name “for their quick and decisive actions”:
A huge thank you to the following
Hash, Neptune, TW Staking, BSCScan, Legend, CertiK, Figment, NodeReal, Namelix, Defibit, Fuji, InfStones, MathWallet, Pexmons, Ankr, BNB48 Club, Avengers, Tranchess, Coinbase Cloud
For their quick and decisive actions – a true community.
— BNB Chain (@BNBCHAIN) October 6, 2022
Binance Coin (BNB) was initially launched in 2017 as an Ethereum-based token before moving to an independent blockchain called Binance Smart Chain (BSC) in 2020. It was later rebranded to BNB Chain after merging with an older version of Binance Chain. As a blockchain designed to run “smart contracts,” it competes with Ethereum as a platform for asset-swapping and “DeFi” applications.
Today’s incident also created a debate on social media over how “decentralized” BNB Chain really is, given that Binance was able to reach out quickly to its validator network and gain a response. The network consists of validators who operate independently, though its small number (~21) and “authorized validator” nature meant Binance likely has a strong priority communications link to operators.
Bitcoin creator Dr. Craig S. Wright has criticized BNB Chain as “not decentralized in any manner” and “distributed not decentralized,” with Binance as its owner and controller. Since BNB Chain’s approved validators are also stakers who vote with large amounts of BNB assets rather than with physical hardware, BNB Chain is more like a shareholder database. Bitcoin’s fundamental protocol rules are also “set in stone” and governed by the Swiss not-for-profit foundation, the Bitcoin Association for BSV, meaning no one can change those rules.
The original Bitcoin’s “alert key” system sent a priority message to transaction processors (miners) if a problem arose. Historically there have been a few times the key was used to warn miners/processors of software bugs and request a patch. Unlike BNB Chain’s validators, Bitcoin’s miners are not officially “approved” by any company, and Bitcoin uses proof-of-work (PoW) to validate transaction blocks. Presumably, Binance could revoke authorized validator status for any operator who didn’t respond.
We request BSC Validators to get in touch with us within the next few hours so that we can plan a node upgrade.
We'd like to thank the community again for their continuous support.
— BNB Chain (@BNBCHAIN) October 7, 2022
Bitcoin’s alert key was last used in 2014, and the feature was removed from the protocol in 2016. If used correctly, the alert key could potentially tell processors to freeze or unfreeze certain UTXOs in the event of a theft. Though the key was used to prompt software changes in the past, it was never used to recover funds.
Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple,
Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.
