Ankr bolsters its security and compensated liquidity providers following an exploit from malicious actors

The BNB Chain-based protocol Ankr has bolstered its security following an exploit that resulted in hackers and malicious actors changing the developer’s private key and altering the smart contract for its BNB liquid staking token (aBNBc).

It also didn’t take long before Ankr restored security to its site. Ankr identified the hack yesterday and its team quickly swung into action to apply security updates. The company also reported that it has made compensation for affected liquidity providers (LPs). After internal research and assessment, Ankr estimated that damage to be worth $5 million worth of BNB across liquidity pools in various DEXes.

In a statement, Ankr Co-Founder and CEO Chandler Song said:

“Thanks to the fast actions from the Ankr team and various protocols, we were able to minimize any damage done extremely quickly. Hacks and exploits from bad actors like this are an unfortunate possibility in Web3, even with every attention to detail in security processes – but we were well prepared. Unlike previous events in the space this year, we are doing the right thing by our community and ensuring that this is taken care of immediately with lost funds restored.”

As security firm Beosin suggested, the exploit may have come from vulnerabilities in the smart contract code and compromised private keys due to a technical upgrade.

So, what happened?

According to Ankr, the malicious actor leveraged the smart contract for the aBNBc token to create an infinite amount of this token and then exchange it for USDC. The aBNBc token represents a staked version of Binance’s BNB token that earns rewards from validation efforts.

The aBNBb smart contract was safe from third-party minting prior to the attack, however, the attacker was able to obtain access to the deployer key. The attacker then uploaded a new aBNBb contract that included an extra method to mint without authorization checks. The attacker minted an excess of aBNBb out of thin air and rapidly moved to swap it out for other tokens on decentralized exchanges.

Ankr’s Immedite Response

As this event occurred, Ankr simultaneously alerted known off-ramps to implement their emergency plans (including minimally halting trading). Ankr also secured the smart contracts with a new key to prevent any further tampering. Finally, the Ankr team also updated smart contracts and systems to temporarily pause the movement of the underlying collateral (BNB) to be safe.

After asking other decentralized exchanges to halt trading, Ankr also took to social media to reassure its customers following its aBNB token exploit. In a post on Twitter, Ankr stated that it will be reissuing aBNBc tokens and promised that it will assess the situation and compensate affected users.

Ankr also told its customers that all the “underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”

Further instructions from the Ankr team:
1. Do not trade
2. Remove liquidity from DEXes if you are a liquidity provider (and keep the aBNBc)
3. Snapshot will be done and wait for additional news
4. Will do a reissuance of aBNBc

— Ankr (@ankr) December 2, 2022

Founded in 2017 by Chandler Song, Ryan Fang, and Stanley Wu, Ankr is a decentralized Web 3 infrastructure platform for the Web 3 World. Anker’s platform enables users to build, earn, and stake with $ANKR. Ankr currently serves an average of 6 billion blockchain requests per day across over 50 chains.

Ankr is building the future of decentralized infrastructure, servicing over 50 proof-of-stake chains with an industry-leading global node delivery system and a developer toolkit. Ankr Protocol processes over 50 chains and delivers an average of six billion blockchain requests every day Ankr serves over two trillion transactions a year across Web3 and is the RPC partner of choice for 17 blockchains, making it the dominant leader in RPC.