Ankr’s Exploit Enabled an Attack on Stablecoin Issuer Helio

  • A hacker targeted a vulnerability in DeFi protocol Ankr to mint trillions of aBNBc tokens, which he eventually swapped for 5 million USDC.
  • The event caused the price of aBNBc to plummet by 99%, which allowed another individual to steal $15.5 million from stablecoin issuer Helio as it did not have up-to-date pricing on aBNBc.
hack

Shutterstock

BNB Chain-based decentralized finance (DeFi) protocol Ankr was hit by a multi-million dollar exploit, which also affected stablecoin issuer Helio Protocol, Ankr said via Twitter on 2 December.

According to the announcement, a hacker targeted a vulnerability in Ankr’s smart contract to mint trillions of aBNBc — a reward token tied to the price of the BNB token — which he then used to drain all of its liquidity from decentralized exchanges on BNB Chain, and get away with roughly $5 million worth of digital assets. Ankr quickly got in touch with exchanges to halt trading of the token, and assured users that the underlying assets on Ankr Staking were safe.

On-chain analytics firm Lookonchain has suggested that the exploit was made possible not only through a vulnerability in Ankr’s smart contract code, but also through a compromised private key, which allowed the attacker to modify the protocol’s smart contracts. Ankr is currently working on resolving the issue, and has proposed to purchase $5 million worth of BNB to compensate liquidity providers that have been affected by the exploit.

The event caused the price of aBNBc to fall by more than 99%, which allowed an opportunistic trader to cash in on the exploit. Lookonchain reported that an individual took advantage of the crashed price of aBNBc to purchase 183,885 tokens with only 10 BNB, which he then deposited to stablecoin issuer Helio Protocol. The platform did not have up-to-date pricing on aBNBc after the Ankr exploit, which allowed the individual to borrow $16 million worth of the HAY stablecoin, which was then swapped for 15.5 million BUSD.

Discussion
Related Coverage
KuCoin Twitter Account Hacked, Exchange to Reimburse Losses
  • The Twitter account of the crypto exchange was compromised for roughly 45 minutes on Monday, resulting in 22 transactions connected to the hack.
  • KuCoin has calculated that the total asset losses were 22,638 USDT, and noted that it will fully reimburse users affected in the incident.
April 24, 2023, 8:59 AM
kucoin

Shutterstock

Exploiter Returns 90% of “Recoverable Funds” to Euler Finance
  • The remaining $31 million worth of crypto assets were returned late on Monday, marking a successful end to Euler Finance’s recovery efforts.
  • The total value of assets returned is a little over $177 million, which is 90% of the “recoverable funds” after adjusting for the 10% bounty previously offered.
Hacker Steals $9M from SafeMoon
  • SafeMoon said that only its SFM:BNB liquidity pool (LP) was affected, and that it had located the suspected exploit, and patched the vulnerability.
  • The bug was allegedly introduced with the latest SafeMoon upgrade, and allowed the attacker to burn the majority of SFM in the pool, artificially inflating its price.