Binance Smart Chain (BSC) has been paused after hackers reportedly stole 2 million Binance Coins (BNB), worth $566 million, from the Binance Bridge.
The CEO of Binance acknowledged the security incident and tweeted that an exploit was used in the BSC Token Hub to transfer the BNB to the attacker and that they had asked all validators to suspend the Binance Smart Chain.
An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.— CZ 🔶 Binance (@cz_binance) October 6, 2022
All the stolen BNB was worth around $560M as of Oct. 6. The attacker then deposited BNB into Venus, a lending protocol on BSC, and borrowed 150M in stablecoins.
In the blog post, Binance wrote-
"There was an exploit affecting the native cross-chain bridge between BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC), known as “BSC Token Hub.” A total of 2 million BNB was withdrawn. The exploit was through a sophisticated forging of the low-level proof into one common library."
Just an hour after the news of the security incident goes online, a post on popular hacker forums emerged selling 500K Binance user information(KYC) including mail and passwords for a price of 50000USD in Bitcoin. Hackers claim the data is from the current month (October), including identity information, phone number, and mail address. The hacker (Seller of data) is offering to give 500 BNB for free to every buyer. [Sample data check below image]
Binance offers a bounty of 10% of the recovered fund to individuals or groups for catching hackers. Additionally, Binance announced to start Whitehat program (BugBounty Program) for future bugs found, and $1M for each significant bug found
"Lastly, we owe a debt of gratitude to the community for moving so quickly to minimize what could have been a more serious incident. We’re sorry for any inconvenience that the suspension of BNB Smart Chain has caused, but we are truly grateful to the community for their support." - Binance wrote.
A crypto and web3 researcher "samczsun" tweeted a long thread explaining the attack scenario.
It all started when @zachxbt sent me the attacker's address out of the blue. When I clicked into it, I saw an account worth hundreds of millions of dollars. Either someone had pulled off a huge rug, or there was a massive hack underway pic.twitter.com/OipdKymjFL— samczsun (@samczsun) October 6, 2022