After a hacker robbed staking infrastructure provider Ankr for $5 million, a second used its then-nearly worthless wrapped BNB tokens to scam stablecoin issuer Helio Protocol for $15 million.
A pair of related hacks drained $20 million from two separate projects overnight on Thursday.
The first exploited the DeFi staking infrastructure provider Ankr for $5 million in a way that crashed the price of its aBNBc rewards token — a wrapped BNB token — to near zero.
That opened the door for a second attack, in which someone bought 183,000 of the crashed aBNBc tokens for about $3,000, and then traded them for $16 million worth of Helio Protocol's BNB chain-based HAY stablecoins at the pre-crash price, thanks to a slow price oracle update, according to blockchain security firm BlockSec.
The attacker then promptly swapped those HAY for $15.5 million worth of BUSD stablecoins — causing a huge loss for Helio. At least $3 million was moved into a Binance hot wallet and frozen, CEO Changpeng "CZ" Zhao tweeted.
It is not clear if the Helio attack was by the same hacker or a separate one launched at the spur of the moment.
Zhao added that it seemed to have started when an Ankr private developer key was hacked, allowing the crook to update "the smart contract to a malicious one."
Specifically, the new smart contract allowed the hacker to mint "$4 QUADRILLION worth of aBNBc tokens (wrapped BNB on Ankr) and [sell] them into the main liquidity pool," crypto intelligence firm Arkham tweeted. The hacker sold them off for USDC stablecoins and began bridging them to Ethereum. In doing so, the hacker cleaned out a number of BNB liquidity pools.
Ankr has pledged to buy $5 million in BNB "to compensate in totality the liquidity providers that have been affected by the exploit due to the drainage of the liquidity pool."
It is also replacing all aBNBc (and aBNBb) tokens with the new ankrBNB, using a pre-hack snapshot. The old tokens will "no longer be redeemable," Ankr added.
One or Two?
Arkham said the second attack on Helio seems to have been one of opportunity rather than a planned and coordinated one. It explained:
"Due to the contract bug being publicly exploitable, copycat attacks began to take place, although these were far less effective."
One imitator out of about 70, it noted, "simply sold off trillions of now-worthless aBNBc into the liquidity pool for $2.52."
But another actually bought up the near-worthless aBNBc from the liquidity pool, spending 10 BNB (worth about $290 at the time) Arkham said, adding:
"This is because they realized that another protocol would allow them to collateralize it for borrowing, and mark it as ordinary BNB. That protocol was @Helio_Money."