A series of linked attacks cost infrastructure provider Ankr and stablecoin issuer Helio Protocol a combined $20 million, according to an BlockSec investigation.
Ankr's liquid staking token product was the subject of the first attack, which cost the company more than $5 million.
According to BlockSec and other analysts, an unidentified hacker used a loophole in Ankr's smart contract to mint quadrillions of aBNBc, a reward token linked to the value of Binance's exchange currency BNB/USD.
After minting those tokens, the attacker traded them and drained all their liquidity on BNB Chain's decentralized exchanges to escape with more than $5 million.
Ankr conceded to the exploit and said it was working with exchanges to prevent deposits from coming from addresses linked to the attacker.
"We will take a snapshot and reissue ankrBNB to all valid aBNBc holders before the exploit. The ankrBNB token will continue to be redeemable, while aBNBc and aBNBb will no longer be redeemable," Ankr said in a tweet.
The price of the aBNBc coin dropped by more than 99% when the hacker sold off a significant amount of them on decentralized exchanges.
This Made Room For The Second Attack
In the second incident, BlockSec discovered that an unidentified person had purchased 183,000 aBNBc tokens for 10 BNB ($2,900).
The attacker then used the tokens to siphon cash from Helio Protocol, a stablecoin issuer based on the BNB Chain.
Due to Helio Money's oracle system's inability to update aBNBc prices following its sharp decline, the attacker was able to borrow $16 million in the HAY stablecoin.
Oracles are outside companies that provide data retrieval services for certain blockchains. Decentralized finance (DeFi) protocols heavily rely on oracles to guarantee the accuracy of their lending, borrowing, and other services. However, delays could result in financial losses if malicious traders exploit price disparities.
The attacker caused a significant loss to the protocol when they exchanged their HAY stablecoin for $15 million in Binance USD BUSD/USD.
According to BlockSec, $15 million of the stolen money from the second hack was transferred to the cryptocurrency exchange Binance.
As of now, $3 million of the funds have reportedly been seized, according to Changpeng Zhao, CEO of Binance.
© 2023 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Visit Benzinga's Crypto Homepage - 1,000,000+ depend on Benzinga Crypto every month