Double Hack Sees Stablecoin Issuer Helio Hit by Ankr Attack Fallout

Double Hack Sees Stablecoin Issuer Helio Hit by Ankr Attack Fallout

Created 1mo ago, last updated 1mo ago

After a hacker robbed staking infrastructure provider Ankr for $5 million, a second used its then-nearly worthless wrapped BNB tokens to scam stablecoin issuer Helio Protocol for $15 million.

Double Hack Sees Stablecoin Issuer Helio Hit by Ankr Attack Fallout

Table of Contents

Listen to the CoinMarketRecap podcast on Apple Podcasts, Spotify and Google Podcasts

A pair of related hacks drained $20 million from two separate projects overnight on Thursday.

The first exploited the DeFi staking infrastructure provider Ankr for $5 million in a way that crashed the price of its aBNBc rewards token — a wrapped BNB token — to near zero.

That opened the door for a second attack, in which someone bought 183,000 of the crashed aBNBc tokens for about $3,000, and then traded them for $16 million worth of Helio Protocol's BNB chain-based HAY stablecoins at the pre-crash price, thanks to a slow price oracle update, according to blockchain security firm BlockSec.

The attacker then promptly swapped those HAY for $15.5 million worth of BUSD stablecoins — causing a huge loss for Helio. At least $3 million was moved into a Binance hot wallet and frozen, CEO Changpeng "CZ" Zhao tweeted.

It is not clear if the Helio attack was by the same hacker or a separate one launched at the spur of the moment.

Ankr Sinks

Zhao added that it seemed to have started when an Ankr private developer key was hacked, allowing the crook to update "the smart contract to a malicious one."

Specifically, the new smart contract allowed the hacker to mint "$4 QUADRILLION worth of aBNBc tokens (wrapped BNB on Ankr) and [sell] them into the main liquidity pool," crypto intelligence firm Arkham tweeted. The hacker sold them off for USDC stablecoins and began bridging them to Ethereum. In doing so, the hacker cleaned out a number of BNB liquidity pools.

Among other places, the thief sent about $250,000 of ill-gotten gains through Tornado Cash, the mixing service placed under sanctions in August by the U.S. Treasury Department as it was being used by North Korean hackers from the Lazarus Group to launder hundreds of millions of dollars that is believed to support the rogue nation's nuclear program.

Ankr has pledged to buy $5 million in BNB "to compensate in totality the liquidity providers that have been affected by the exploit due to the drainage of the liquidity pool."

It is also replacing all aBNBc (and aBNBb) tokens with the new ankrBNB, using a pre-hack snapshot. The old tokens will "no longer be redeemable," Ankr added.

One or Two?

Arkham said the second attack on Helio seems to have been one of opportunity rather than a planned and coordinated one. It explained:

"Due to the contract bug being publicly exploitable, copycat attacks began to take place, although these were far less effective."

One imitator out of about 70, it noted, "simply sold off trillions of now-worthless aBNBc into the liquidity pool for $2.52."

But another actually bought up the near-worthless aBNBc from the liquidity pool, spending 10 BNB (worth about $290 at the time) Arkham said, adding:

"This is because they realized that another protocol would allow them to collateralize it for borrowing, and mark it as ordinary BNB. That protocol was @Helio_Money."
1 person liked this article