Decentralized Web3 infrastructure provider Ankr sought to reassure its community Friday with an initial response to the theft of at least $5.5 million from BNB Chain liquidity pools and money markets.
The team confirmed that Ankr’s other products — including validators, RPC nodes, and AppChain services — were not affected. That will come as a relief to holders of Ankr’s other larger staking derivatives, notably aETHc — Ankr staked ether — which carries a market cap of about $68 million.
The attacker minted a total of 60 trillion aBNBc across 6 different transactions. The thief then used the minted, but unbacked tokens to drain liquidity from decentralized exchanges on the BNB Chain. After turning around and buying the depressed aBNBc the attacker was able to raid borrowing and lending protocol Helio by withdrawing $16 million in HAY, the protocol’s custom stablecoin and swapping it for $15.5 million BUSD, the Binance stablecoin issued by Paxos.
Prior to the exploit, Helio had $90 million in Total Value Locked, according to DeFiLlama.
“Hacks and exploits from bad actors like this are an unfortunate possibility in Web3, even with every attention to detail in security processes — but we were well prepared,” Co-Founder & CEO Chandler Song, said in a statement.
A recommended “action plan” explained how users of aBNBc can be compensated through a new ankrBNB token that will be minted and airdropped based on a pre-exploit snapshot of on-chain data.
While the attack apparently stems from malicious use of the private key for the aBNBc smart contract deployer, it’s unclear exactly how the key was compromised. Industry best practices call for multisignature wallets and timelocks on upgradeable smart contracts, to prevent this type of attack.
Representatives from Ankr did not respond to Blockworks request for comment.
Other providers of liquid staked BNB such as pSTAKE use multisigs to protect sensitive contracts, and restrict access to token minting functions, while fully decentralized dapps such as Uniswap on Ethereum are not upgradeable at all.
The full extent of the collateral damage is not yet clear, but the Ankr expressed the intent to resolve losses incurred by customers of related DeFi dapps.
For example, Ankr will cover bad debt incurred by Helio Protocol, pending the outcome of ongoing discussions, according to the latter’s official Twitter account.
Get the day’s top crypto news and insights delivered to your inbox every evening. Subscribe to Blockworks’ free newsletter now.