A bridge to BSC was hacked for ~$500 million yesterday. This doesn’t mean the hacker gets to take all these funds to the bank, but it does point to an interesting vulnerability.
Here we’ll explore:
- What exactly got hacked? (The Binance Bridge)
- How was it hacked?
- What happens next?
‘U up?’ are three words no one in the Crypto/Web3 industry ever wants to see in a private message.
Samczsun if you don’t already know is the savant-level white hat hacker usually at the forefront of keeping the industry safe whenever something can or does go wrong. Those words are his signature initial greeting to any protocol or application developers about to receive some bad news about vulnerabilities or hacks on their offering.
Yesterday Samczsun let out a series of tweets in real-time as he was uncovering what had happened a few hours prior. An incident involving 2 million $BNB ($566 million).
Binance is the world’s leading cryptocurrency exchange. It wasn’t hacked.
Mainstream (and even some crypto-native news publications) can sometimes get it wrong. No more fast food ‘news’ please.
BSC is the Binance Smart Chain — it started out as a fork of Ethereum (Geth). It’s a protocol, blockchain, somewhat decentralized, etc. It’s another L1 is what matters at the moment. There’s a coin that lives on BSC similar to ETH on Ethereum, that’s BNB.
How do you get BNB to BSC to use the apps? You bridge your funds through the Binance Bridge. All protocols have bridges. There are generic bridges that allow you to move back and forth between unrelated chains.
‘Bridge’ is a bit of a misnomer. When you cross a bridge you (and your belongings) generally start on one side and completely migrate to the other side.
In Crypto, ‘bridges’ have you locking your funds on one side and then receiving an equal amount of some other good on the other side.
It’s like parking your Acura at a depo and passing the keys to someone to keep it safe for you (that someone is usually a smart contract or wallet and usually multi-sig) then taking a Toyota of equal value out for a spin. When you’re ready, bring the Toyota back and head back and get your Acura (assuming it’s still there).
‘Bridges’ here are more like automated, assured, reversible protocol-level swaps but anyways you get the picture.
As you can see as people park their cars on one side of the bridge and leave their keys to someone else, that authority over the keys is starting to hold a lot of value. After a while the value of all of those cars starts to really add up, especially if some people start to bring in their ‘lambo’s.
Bridges being hacked is nothing new. What’s different here was the manner in which the bridge was hacked.
Computer Science loves trees. Take that, environmentalists.
Don’t believe me? Here are things that use trees.
- Search algorithms
Tree representations of data can be very efficient. It’s a structure that can make storing and retrieving information much easier. Start at a node, determine some comparison, head down the required branch to another smaller tree, etc. Each time you do that you cut out caring or looking through a lot of other data it would be inefficient to look through. Trees help determine what to look at and narrow down relevant options much more quickly.
Data in smart contract blockchains are stored in trees. The Binance Bridge uses an AVL tree implementation from the Cosmos ecosystem. An AVL tree is pretty interesting, it balances itself out as things get stored in and retrieved from the nodes.
Imagine a tree from the top. It has branches and leaves. Each leaf has a number of caterpillars chomping away in slow motion (I woke up to the sound of those crunches once in Thailand, it was weird).
Let’s say for the tree to stay ecologically balanced every leaf on the left side of the tree should have less than 5 caterpillars, and each leaf on the right side should have 5 or more caterpillars (not sure why this would balance the tree but accept it for the example). In comes some crazy ape and knocks down some caterpillars from the right side. Now a couple of those leaves have fewer than 5 caterpillars. Shit, no longer balanced. An AVL would automatically re-balance so those leaves with fewer than 5 caterpillars end up on the left.
Caterpillars have nothing to do with blockchains (or do they? — okay no they don’t). But blockchains use AVL trees, and that’s important. The data representation is called a Merkle tree.
Can we still talk about caterpillars please? No, we need to move on. But you know what’s a lot like a caterpillar? A cryptographic hash.
Okay not really, but, still vibe please. Blockchain Merkle trees don’t care about the number of caterpillars on a leaf (sorry nature lovers). The information each node represents is a hash function that tells you something about the data of the leaves on the branches of the subtrees, all the way down to the leaves (the last nodes of a tree). This allows data to bubble up from the database where it lives to a representation on the tree so that it is easier to store, look up and validate the data.
Back to the hack. These trees are verified with hash functions. Starting at leaf nodes, hashes are proved up the tree to the root. If someone can modify the information in leaf nodes but produce hashes that are proved to be true by the higher-up nodes, then they can change who owns what.
The short story from here is someone who was able to forge those proofs.
For technical details it’s best to refer you to the tweet by Samczsun. He mentions the approach he was able to figure out. Apparently it’s not exactly how the hacker did it. But the same principles of what happened apply.
This exhausts my understanding of the technical details. Hopefully didn’t get anything wrong. Please let me know if I have.
CZ announced that the validators had halted the chain. These validators theoretically are autonomous and anonymous operators that can communicate with each other to perform operations collectively.
When the dust settled the hacker was only able to get away with ~$80 million.
Here is the hacker’s profile showing the stolen amount.
Before his account was frozen he was able to send at least some ETH to other addresses. Some addresses have been blacklisted.
Here is one of their addresses containing ETH.
As usual, never a dull day in Crypto/Web3.
If you found this helpful article be sure to follow me on Medium for more content from across the space.
PS We’re working on the website for Crypto Climax to bring it to life as an online publication. Stay tuned!
I produce market and developer-related content from across our ecosystem.
This article is an example of a feature article from my free weekly newsletter. There you’ll also find exclusive content, so be sure to signup!
Your email won’t be used for anything else (I don’t even look at them).
Also be sure to follow me on Twitter for threads and other important content from across the space.
Until next time, from your premier Crypto/Web3 publication.
Max — The Crypto Climax
New to trading? Try crypto trading bots or copy trading