Ankr shares a post-mortem report on the multi-million dollar aBNBc token exploit

Early this month, we wrote about after BNB Chain-based protocol Ankr announced it was hit by a multi-million dollar exploit on December 1. The attack appeared to have first been discovered by on-chain security analyst PeckShield after it reported in a Twitter post that Ankr exploiter had started to transfer the stolen funds on Ethereum into Tornado Cash.

Within an hour of learning about the exploit, the Ankr team swung into action to apply security updates and halted trading of the compromised token. In addition, Ankr also made compensation for the affected liquidity providers (LPs). After the initial internal research and assessment, Ankr estimated that damage to be worth $5 million worth of BNB across liquidity pools in various DEXes.

Fast forward about three weeks later, Ankr has now come out with a post-mortem report on the multi-million dollar aBNBc token exploit.  The report goes in-depth into what took place on Dec. 1 and the actions taken by the Ankr team to prevent any attacks like it from happening in the future.

Who Was Behind The Multi-Million Dollar aBNBc Token Exploit?

According to the Dec. 20 post-mortem report from the Ankr team, the $5 million hack of the Ankr protocol on Dec. 1 was caused by a former team member who is no longer part of the company. Ankr also said that it has alerted local authorities to bring the attacker to justice. The company is also working to shore up its security practices to reduce insider threats and protect unapproved access to its keys in the future.

According to an OpenZeppelin tutorial on the topic, upgradeable contracts like those used in Ankr use the concept of an “owner account” that has sole authority to make upgrades. To prevent theft, most developers transfer ownership of these contracts to a gnosis safe or other multi-signature account. However,  the Ankr team said that it did not use a multi-sig account for ownership in the past but will do so from now on, stating:

“A former team member (who is no longer with Ankr) acted maliciously to conduct a supply chain attack, inserting a malicious code package that was able to compromise our private key once a legitimate update was made. We are in the process of working with law enforcement to prosecute the former team member and bring them to justice. Unfortunately, internal bad actors can affect any protocol and we are working on shoring up internal HR processes and safety measures to strengthen our security posture going forward.”

How Did Ankr Respond?

Immediate Action Taken To Halt the Attack

Immediately after the incident, the Ankr team took several actions to minimize any damage from the exploit. Ankr communicated the exploit to the public and executed plans to resolve the situation as quickly as possible. The company also alerted known off-ramps to implement their emergency plans and halt trading while securing the smart contracts with a new key, preventing any further tampering. To prevent future attacks, Ankr also updated smart contracts and systems to temporarily pause the movement of the underlying collateral (BNB) within our liquid staking product to be safe.

Also in a 5-part thread post on Twitter yesterday, Ankr shared some of the actions taken by the company after the aBNBc token exploits on Dec 1st. Immediately after the exploit, the Ankr team restored security and worked with DEXs to halt trading, formed and executed a thorough recovery plan for the community, and identified the exploiter (currently working with law enforcement to take legal action).

Formed a Recovery Plan

Secondly, Ankr took several measures to start compensating users to the full extent of the losses they incurred as a result of the exploit. The team used our own Advanced API Tool to find every aBNBc token holder in 10 seconds – a task that would have taken several hours to complete using normal query methods on a dedicated node.

Ankr also took a snapshot to identify affected users, created a new ankrBNB token, airdropped the token to affected holders, and determining reimbursement plans for most impacted users

You can read about the Ankr recovery plan here.

Reimbursed Our Community

Ankr did not stop there. As a reputable Web3-native organization with an extremely strong community, Ankr did the right thing and reimburse all token holders who were affected.

Ankr also fixed damage to Helio (aBNBc borrowing platform) by re-stabilizing HAY Price. We will continue purchasing HAY if the token remains unpegged until all funds are spent, airdropped ankrBNB to the affected aBNBc or aBNBb token holders, airdropped BNB to all affected DeFi liquidity providers, and reached an agreement to reimburse Wombat stkBNB LPs and planned to provide 100% coverage of the BNB Wombat LPs.

What’s Ankr Improving?

Ankr is now implementing several improvements to our security posture. Here are a few notable reinforcements:

Requiring Multi-sig Authentication & Timelocks for All Updates

The exploit was possible partly because there was a single point of failure in our developer key. We will now implement multi-sig authentication for updates that will require signoff from all key custodians during time-restricted intervals, making a future attack of this type extremely difficult if not impossible. These features will improve security for the new ankrBNB contract and all Ankr tokens.

In a Twitter post on Dec. 20, Ankr also shared a quick summary of what’s doing to improve its security measures.

4/ We are now improving several security measures, here are a few:

– Requiring Multi-sig authentication & timelocks for all updates
– Revamping internal security measures
– Implementing new monitoring and notification systems
– Refining procedures for working with DeFi protocols

— Ankr Staking (@ankrstaking) December 20, 2022

Revamping internal security measures

Ankr will now require escalated background checks for all employees (including all contractors and remote workers) while taking extra measures to verify the current status of those currently working at Ankr. We are also reviewing access rights and taking extra steps to minimize entry to any sensitive systems.

Implementing new monitoring & notification systems

The team was able to catch the attack extremely quickly, but we can always work on improving our response time. We are implementing new notification systems to alert key personnel so they can be online faster at any time of day.

Refining procedures for working with DeFi protocols

Now that we’ve been through the experience of working with teams from other protocols after an incident, we can improve the process with a precedent set for responding with international teams in streamlined communication channels.

Founded in 2017 by Chandler Song, Ryan Fang, and Stanley Wu, Ankr is a decentralized Web 3 infrastructure platform for the Web 3 World. Anker’s platform enables users to build, earn, and stake with $ANKR. Ankr currently serves an average of 6 billion blockchain requests per day across over 50 chains.

Ankr is building the future of decentralized infrastructure, servicing over 50 proof-of-stake chains with an industry-leading global node delivery system and a developer toolkit. Ankr Protocol processes over 50 chains and delivers an average of six billion blockchain requests every day Ankr serves over two trillion transactions a year across Web3 and is the RPC partner of choice for 17 blockchains, making it the dominant leader in RPC.