Global cryptocurrency exchange Binance has suffered a cyberattack which saw $570m of its own token, BNB, stolen by hackers. The criminals exploited a vulnerability on the BNB blockchain’s cross-chain coin bridge. Such attacks on coin bridges, which allow transfers between different digital currencies, are becoming increasingly common, and rigorous code auditing is required to ensure weaknesses are spotted.
The attack saw two million BNB, with a value of $570m, withdrawn from the Binance bridge.
Though it was initially reported that digital currency worth $100m had been taken, the latest update from the BNB chain says a total of two million BNB was withdrawn, which is the equivalent of around $570m. It says the attacker was able to use an exploit affecting the native cross-chain bridge between BNB Beacon Chain and BNB Smart Chain, known as the BSC Token Hub.
The BNB blockchain was initially taken offline when details of the attack emerged, but is now back up and running.
Coin-chain bridge attacks are common
A cross-chain bridge connects different blockchains to allow the transfer of assets and information. They feature a central storage point of funds that are behind the ‘bridged’ assets on the receiving blockchain, which makes them a target for hackers.
Earlier this year an attack on gaming platform Axie Infinity’s Ronin Bridge cost the company $624m in crypto tokens. The attacker reportedly located a back door into the bridge that allowed them to withdraw 173,600 Ethereum, as well as 25.5m USD tokens. In August, cross-chain platform Nomad suffered a brutal hack due to a vulnerability in its own bridge, which saw digital currency worth $190m disappear from the platform in a matter of hours.
“The main problem with bridges is, when you get access to the bridge, you get access to the whole liquidity,” explains Slava Demchuk, CEO and co-founder of cryptocurrency compliance platform AMLBot.
What can be done to secure cross-coin bridges?
The best way to secure cross-currency coin bridges is to ensure they are properly audited, explains Kim Grauer, director of research at blockchain analysis company Chainalysis. “Hackers are always looking for the newest and most vulnerable services to attack,” she says.
Auditing could help both those who are building protocols and the investors putting money into decentralised finance, or DeFi, projects, says Grauer. “Over time, the strongest, safest smart contracts can serve as templates for developers to build from,” she argues.
Research from Chainalysis says social engineering tactics are commonly used to find entry points into blockchain companies. It is thought this is what happened in the case of Axie Infinity, where a fake job offer to one of the game’s developers was used by North Korean hackers to gain access to internal systems and its coin bridge.