Ankr says ex-employee caused $5M exploit, vows to improve security

Published at: Dec. 21, 2022

A $5 million hack of Ankr protocol on Dec. 1 was caused by a former team member, according to a Dec. 20 announcement from the Ankr team.

The ex-employee conducted a “supply chain attack” by putting malicious code into a package of future updates to the team’s internal software. Once this software was updated, the malicious code created a security vulnerability that allowed the attacker to steal the team’s deployer key from the company’s server.

After Action Report: Our Findings From the aBNBc Token ExploitWe just released a new blog post that goes in-depth about this: https://t.co/fyagjhODNGA pic.twitter.com/d6psUbpxNY

— Ankr Staking (@ankrstaking) December 20, 2022

Previously, the team had announced that the exploit was caused by a stolen deployer key that had been used to upgrade the protocol’s smart contracts. But at the time, they had not explained how the deployer key had been stolen.

Ankr has alerted local authorities, and is attempting to have the attacker brought to justice. It is also attempting to shore up its security practices to protect access to its keys in the future.

Upgradeable contracts like those used in Ankr rely on the concept of an “owner account” that has sole authority to make upgrades, according to an OpenZeppelin tutorial on the subject. Because of the risk of theft, most developers transfer ownership of these contracts to a gnosis safe or other multisig account. The Ankr team says that it did not use a multisig account for ownership in the past but will do so from now on, stating:

“The exploit was possible partly because there was a single point of failure in our developer key. We will now implement multi-sig authentication for updates that will require signoff from all key custodians during time-restricted intervals, making a future attack of this type extremely difficult if not impossible. These features will improve security for the new ankrBNB contract and all Ankr tokens.”

Ankr has also vowed to improve HR practices. It will require “escalated” background checks for all employees, even ones who work remotely, and it will review access rights to make sure that sensitive data can only be accessed by workers who need it. The company will also implement new notification systems to alert the team more quickly when something goes wrong.

The Ankr protocol hack was first discovered on Dec. 1. It allowed the attacker to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), which were immediately swapped on decentralized exchanges for around $5 million USD Coin (USDC) and bridged to Ethereum. The team has stated that it plans to reissue its aBNBb and aBNBc tokens to users affected by the exploit and to spend $5 million from its own treasury to ensure these new tokens are fully backed.

The developer has also deployed $15 million to repeg stablecoin HAY, which became undercollateralized due to the exploit.

Tags
Related Posts
BSC's Impossible Finance raises $7M for multi-chain DeFi incubator
Impossible Finance, a Defi protocol built on Binance Smart Chain, has completed a $7 million seed funding round backed by over 125 institutional and angel investors — with the funds going towards the development of a multi chain DeFi incubator. The seed round was led by venture capital firm True Ventures, and quantitative investment firm Alameda Research, blockchain development firm Hashed and investment firm CMS Holdings. Impossible Finance was launched on BSC on April 9, and the protocol currently offers DeFi investors token swaps, liquidity pools, and staking rewards through the Impossible Finance (IF) token The new funding will go …
Business / June 4, 2021
Web3 is the solution to Uber’s problem with hackers
Uber is a staple of the gig economy, for better or worse, and a disruptor that once sent shockwaves throughout the mobility space. Now, however, Uber is being taken for a ride. The company is handling a reportedly far-reaching cybersecurity breach. According to the ride-hailing giant, the attacker has not been able to access sensitive user data, or at least, there is no evidence to suggest otherwise. Whether or not sensitive user data was exposed, this case points to a persistent issue with today’s apps. Can we continue to sacrifice our data — and thereby our privacy and security — …
Defi / Oct. 1, 2022
Raydium announces details of hack, proposes compensation for victims
The team behind the Raydium decentralized exchange (DEX) has announced details as to how the hack of Dec. 16 occurred and offered a proposal to compensate victims. According to an official forum post from the team, the hacker was able to make off with over $2 million in crypto loot by exploiting a vulnerability in the DEX’s smart contracts that allowed entire liquidity pools to be withdrawn by admins, despite existing protections being to prevent such behavior. The team will use its own unlocked tokens to compensate victims who lost Raydium tokens, also known as RAY. However, the developer does …
Defi / Dec. 21, 2022
Crypto exploit losses in January see nearly 93% year-on-year decline
Aside from the bullish crypto market rally in January, there’s been more positive industry news as the month saw a decline in losses from exploits compared to the same time last year. According to data from blockchain security firm PeckShield on Jan. 31, there were $8.8 million in losses from crypto exploits in January. There were 24 exploits over the month, with $2.6 million worth of crypto being sent to mixers such as Tornado Cash. The breakdown of assets sent to mixers includes 1,200 Ether (ETH) and around 2,668 BNB (BNB). The January figures are 92.7% lower than the $121.4 …
Defi / Feb. 1, 2023
CoW Swap hacker milks over 550 BNB using 'solver' exploit
Decentralized exchange (DEX) protocol CoW Swap recently suffered an attack, losing at least 550 BNB (BNB) in a contract exploit that approved fund transfers from the protocol. Blockchain surveyor MevRefund flagged the event and detected that the funds seemed to be moving away from CoW Swap. The MEV searcher warned the DEX and its users of the exploit in a Twitter thread. @CoWSwap your funds appear to be moooving away ...https://t.co/li1NkXNeUp — MevRefund (@MevRefund) February 7, 2023 According to the Smart contract auditing firm BlockSec, a wallet address was added as a “solver” of CoW Swap by a multisig. Then, …
Defi / Feb. 7, 2023