December 6th, 2022
In November 2022, an attacker drained over $5 million in tokens from the Ankr project via a private key leak, but the damage didn’t stop there. A follow-on attack against Helio netted an attacker approximately $19 million in stolen tokens.
Ankr is a project based on the Binance Smart Chain. The project was in the midst of an update process in which they were changing the models for their reward-bearing and earning tokens to benefit the community.
During this update process, the private key used to govern contract updates was compromised and used by an attacker. With this key, the attacker was able to update the contract to a malicious, attacker-controlled version. This new contract removed access controls for the contract’s mint function, allowing the attacker to mint 60 trillion aBNBc tokens, worth over $5 million in total.
Exploits of the Ankr vulnerability caused a 99% crash in the value of aBNBc tokens. However, Helio, a staking platform, was using delayed oracle data that did not reflect the crash.
An attacker exploited this out-of-date data by using the Ankr vulnerability to mint 183,000 aBNBc tokens and deposit them into Helio. They then took out a loan of $16 million worth of HAY stablecoin. These tokens were then swapped for 15 million BUSD.
The original Ankr exploit was made possible by a compromised private key. Since the Ankr update process was managed by a single key, an attacker with access to that key had the ability to deploy a malicious contract. The use of multi-signature wallets would have made this more difficult to accomplish.
The Helio exploit was enabled by out-of-date oracle data. If the Helio oracle data reflected the aBNBc price crash, then the attacker would not have been able to drain value from the protocol via a loan.
Protecting against smart contract exploits requires designing smart contract code and management processes to make these types of attacks difficult. To learn more, reach out to our Web3 security experts at firstname.lastname@example.org.