{"id":1680,"date":"2022-10-07T14:04:10","date_gmt":"2022-10-07T14:04:10","guid":{"rendered":"https:\/\/metaschool.so\/articles\/?p=1680"},"modified":"2023-01-11T13:07:28","modified_gmt":"2023-01-11T13:07:28","slug":"binance-smart-chain-bnb-hack","status":"publish","type":"post","link":"https:\/\/metaschool.so\/articles\/binance-smart-chain-bnb-hack\/","title":{"rendered":"$566 million of crypto tokens stolen from Binance\u2019s BNB Chain by hacker"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_56_1 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/metaschool.so\/articles\/binance-smart-chain-bnb-hack\/#How_did_the_BNB_Chain_hack_happen\" title=\"How did the BNB Chain hack happen?\">How did the BNB Chain hack happen?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/metaschool.so\/articles\/binance-smart-chain-bnb-hack\/#The_technicalities_of_the_Binance_Smart_Chain_hack\" title=\"The technicalities of the Binance Smart Chain hack\">The technicalities of the Binance Smart Chain hack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/metaschool.so\/articles\/binance-smart-chain-bnb-hack\/#How_IAVL_tree_is_relevant_to_the_BNB_hack\" title=\"How IAVL tree is relevant to the BNB hack\">How IAVL tree is relevant to the BNB hack<\/a><\/li><\/ul><\/nav><\/div>\n\n<p>This shocking news of the Binance&#8217;s BNB Chain hack comes just weeks after the <a href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/\">WinterMute Hack<\/a> took place. <\/p>\n\n\n\n<p><a href=\"https:\/\/metaschool.so\/blockchains\/binance?ref=Articles&amp;utm_source=Blog_Organic\" target=\"_blank\" rel=\"noreferrer noopener\">Binance<\/a>, the world&#8217;s largest cryptocurrency exchange, and its Binance Smart Chain (BNB) suffered a massive hack just 5 hours ago. The attacker managed to steal a total of 2M Binance Coins (BNB) which equals to almost USD 566M. <\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#e4e0f4\">\ud83d\udd2e <strong>New learning path:<\/strong> <a href=\"https:\/\/metaschool.so\/tokens?ref=Articles&amp;utm_source=Blog_Organic\" target=\"_blank\" rel=\"noreferrer noopener\">Launch your own tokens on different blockchains<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-did-the-bnb-chain-hack-happen\"><span class=\"ez-toc-section\" id=\"How_did_the_BNB_Chain_hack_happen\"><\/span>How did the BNB Chain hack happen?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The CEO of Binance, <a href=\"https:\/\/metaschool.so\/articles\/changpeng-zhao-binance-profile\/\">Changpeng Zhao<\/a>, confirmed the news with a tweet. It was said that the hacker exploited a loophole in the Binance Bridge, a cross-chain bridging service that allows <a href=\"https:\/\/metaschool.so\/blockchains\/ethereum?ref=Articles&amp;utm_source=Blog_Organic\">Ethereum<\/a> and BNB blockchains to connect and transfer information and tokens between them.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/0AAAv6Y6lmzSPmMPP3A3G5n63etnkMMTHZSSA0FHCsh9EmPI5vKBJ9FMNHTE7wGIcUsSpawLtNvW9807qqbBaktcIZdYsteqztDu_OwTJlNjYyU4kIMhBNp0k6OeAS71QIuf3cAHP1oFM8gW7KbS8G64QqHjG2WxMLcaX1nQEaN95rH_X8PLzq4NtQ\" alt=\"\"\/><\/figure><\/div>\n\n\n\n<p>The irregular activity on the chain came to notice when 20M BNB were transferred to an address. The hacker had found a critical bug and convinced Binance Bridge to send them 1M BNB, twice.<\/p>\n\n\n\n<p>It is to be noted that the hacker generated 20 million BNB on the chain and transferred it to their wallet. Which means they generated the coins out of thin air. It is expected that Binance will identify the \u201cfalsely generated coins\u201d and freeze them.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/NWZsJNfWiNGQ2mYpZC95GBb4m6lWaI4w1DuNbVSDetnU63nTiTYv9x09akBGylgAohQeTYvhfMK5cYaA6kO0Y-Wc3UOCWnMu9OxZtfcE6HCREbwky3MzQla-o0GuHXcAUF31-gXh7Mzx09SzcWJYOjL_h_knQ_npYfBg8yfUtfaCgmAD57BlwsJq9w\" alt=\"\"\/><\/figure><\/div>\n\n\n\n<p>This doesn\u2019t mean investors didn&#8217;t suffer, as generating a huge amount of coins on a chain means it diluted the value of all the other legitimate coins on the chain. <\/p>\n\n\n\n<p>Ultimately stealing a little bit from everyone.<\/p>\n\n\n\n<p>The official account of BNB Chain has informed that with the help of the community, USD 7M has already been frozen.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"900\" src=\"https:\/\/metaschool.so\/articles\/wp-content\/uploads\/2022\/10\/unnamed.jpeg\" alt=\"simpsons crypto hack meme\" class=\"wp-image-1681\" srcset=\"https:\/\/metaschool.so\/articles\/wp-content\/uploads\/2022\/10\/unnamed.jpeg 800w, https:\/\/metaschool.so\/articles\/wp-content\/uploads\/2022\/10\/unnamed-267x300.jpeg 267w, https:\/\/metaschool.so\/articles\/wp-content\/uploads\/2022\/10\/unnamed-768x864.jpeg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>This incident just goes to show no one is safe from hacks, even Binance<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-technicalities-of-the-binance-smart-chain-hack\"><span class=\"ez-toc-section\" id=\"The_technicalities_of_the_Binance_Smart_Chain_hack\"><\/span>The technicalities of the Binance Smart Chain hack<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>When we compare the BNB hacker\u2019s transactions with legit withdrawals, we notice that the height used by the attacker was always the same number &#8211; 110217401. <\/p>\n\n\n\n<p>FYI,<em> block height refers to&nbsp;<strong>a specific location in a blockchain, measured by how many confirmed blocks precede it<\/strong>.<\/em><\/p>\n\n\n\n<p>But, the heights used by legitimate withdrawals, however, were much bigger i.e. 270822321.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/fFrE2EYT8sa0_nTYDlUZF7wFrNfb1ZuyaZ9MZQpyIekCjryqCT83oygNrlBGjwGO1ikG5p8Yc-tA6ayAiG7DKkr2b--jBG_1-8ZhCCAs6Pad0sXJSIwUPhLntulyV9RyMwoOCGiL2XPTx9iXBbupBq0ZqrlBSzKQCga_tRv2sSoFLb6Csofh3_1CLA\" alt=\"\"\/><\/figure>\n\n\n\n<p>Additionally, even the proof of the attacker was significantly shorter than the legit withdrawal\u2019s proofs. These two facts suggest that the attacker found a way to forge proofs for a specific block. In this case, block 110217401.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/1CM6CYF3o6wsdVeX92hi1FWT5MzFFN8OMjGhpSo94_Nd-J7co_egE5tyNBu-Mw1_SS8wd-jAM_zqZHaoqJig5NBBlGurKJiFllxWVhMuQgEurYHL6CTTbiYoccfM2Uo1IxO3pmaAv-mKAPOsV_8OEPdb0jw-lcPxFYTk1X8EIB3AFiOwLWBPRdFA8Q\" alt=\"\"\/><figcaption>The length of the attacker\u2019s proof vs a legit proof<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-iavl-tree-is-relevant-to-the-bnb-hack\"><span class=\"ez-toc-section\" id=\"How_IAVL_tree_is_relevant_to_the_BNB_hack\"><\/span>How IAVL tree is relevant to the BNB hack<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Binance uses a special precompile contract used to verify IAVL trees. <\/p>\n\n\n\n<p>But wait, what are IAVL trees? It\u2019s a vast concept but let us understand what is important for this hack.<\/p>\n\n\n\n<p>IAVL tree is derived from the AVL tree, short for Adelson-Velsky and Landis, its founders. The \u201cI\u201d in IAVL stands for \u201c<a href=\"https:\/\/metaschool.so\/articles\/immutable-blockchain\/\">immutable<\/a>\u201d, which means simply unchangeable.&nbsp;<\/p>\n\n\n\n<p>Simply put, an AVL tree is a mathematical formula that allows the organization of information bundles in an efficient way. It\u2019s mathematically self-balancing which means it can move those information bundles around to be more efficient while continuing to reference the data correctly.<\/p>\n\n\n\n<p>So&#8230;<\/p>\n\n\n\n<p>While verifying an IAVL tree you provide a set of \u201coperations\u201d. Typically the Binance Bridge Chain expects two operations: \u201ciavl:v\u201d operation and \u201cmultistore\u201d operation. Check <a href=\"https:\/\/t.co\/d4ZY9HvFR9\" target=\"_blank\">this<\/a> GitHub repo for more information.<\/p>\n\n\n\n<p>It&#8217;s understandable, since Binance required us to verify 2 operations. In order to forge any proof, we need them both to succeed and the last operation (multi store operation) needs to return the hash of the specified blocks.<\/p>\n\n\n\n<p>So what seems to be the case is that the attacker took legitimate proof and modified it such that:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>It added a new leaf to the forged payload<\/li><li>Added a blank inner node to satisfy the prover<\/li><li>And tweak the leaf to exit early with the correct root hash<\/li><\/ol>\n\n\n\n<p>Based on my research, that has probably been the method used for the hack.&nbsp;<\/p>\n\n\n\n<p>In summary, there was a bug in the way that Binance Bridge was verifying proofs, which probably allowed hackers to forge random messages.<\/p>\n\n\n\n<p>Fortunately, the hacker forged only two messages, as shown above, and thankfully the community worked promptly to secure the BNB chain, otherwise, the damage could have been far worse.<\/p>\n\n\n\n<p>Do you have BNB tokens? Did this hack affect you and others? Share this on your socials with your comments. <\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":7,"featured_media":1690,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[71],"tags":[89,88],"class_list":["post-1680","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trending-web3","tag-binance-hack","tag-bnb-chain"],"_links":{"self":[{"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/posts\/1680","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/comments?post=1680"}],"version-history":[{"count":7,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/posts\/1680\/revisions"}],"predecessor-version":[{"id":4650,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/posts\/1680\/revisions\/4650"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/media\/1690"}],"wp:attachment":[{"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/media?parent=1680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/categories?post=1680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/tags?post=1680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}