BNB Chain-based staking platform Helio Protocol suffers an unfortunate $15M exploit as an aftermath of the exploit of Ankr Protocol.
Yesterday, Ankr faced a hack attack with the exploiter minting 20T aBNBc and dumping it on PancakeSwap. The exploiter managed to exchange more than 5 million USDC.
Ankr later acknowledged that malicious actors had accessed the developer’s private key and changed the BNB liquid staking token’s (aBNBc) smart contract.
After that, the attacker uploaded a new aBNBb contract with an additional way to mint without authorization checks. The attacker quickly rushed to convert the surplus aBNBb for other tokens on decentralized exchanges after creating it out of thin air.
The infinite mint flaw in Ankr’s contract code was exploited by the address 0xf3a, which generated 60 trillion aBNBc in 6 transactions.
Before the transactions were detected, the attacker was able to exchange them for the stablecoin USDC and start moving them from the Binance Smart Chain to Ethereum. Ankr has verified that there have been losses of around $5 million in BNB.
Later Ankr informed off-ramps to implement their emergency measures. The protocol updated smart contracts and systems to temporarily halt the transfer of the underlying BNB out of an abundance of caution. It also secured the smart contracts with a new key preventing any future manipulation.
Ankr is currently trying to notify all parties who may be impacted by identifying all parties who provided liquidity to DEXes, all protocols supporting aBNBc or aBNBb LP, as well as aBNBc collateral pools.
In order to compensate for the liquidity providers who have been harmed by the exploit owing to the draining of liquidity pools, Ankr will buy $5 million worth of BNB.
Ankr admits that diluted aBNBc was traded speculatively following the exploit, but the team can only offer compensation to LPs who were unaware of the issue.
New ankrBNB tokens will be created and airdropped to impacted aBNBc and aBNBb users in place of the protocol’s immediate discontinuation of aBNBc and aBNBb tokens.
Prior to the snapshot, the Ankr team will snapshot and airdrop the recently released ankrBNB tokens to all legitimate aBNBc holders. Ankr reaffirmed the safety of all user collateral with all BNB collateral.
The price of the aBNBc coin dropped by more than 99% when the hacker sold off a significant amount of them on DEXs, and this led to the exploit of Helio.
The Helio attacker used 10 BNB to acquire 183,384.92 aBNBc tokens. These tokens were converted to 191,130 hBNB tokens and staked in Helio. These tokens were used to drain $16M in HAY stablecoin since the price oracle of Helio was not updated following aBNBc price crash.
The attacker then swapped $16M in HAY for 15,504,986 BUSD. The 15M BUSD was then transferred to an address and then to Binance hot wallet. Binance CEO CZ later reported the team froze about $3m that hackers moved to the exchange.
HAY stablecoin depegged after the incident. Helio confirmed the attack and stated it is working with Ankr to stabilize the situation. To help HAY re-peg, Ankr will be buying as much of the excess HAY minted from the discounted aBNBc to be burnt.
Helio Protocol and Ankr have also discussed a bilateral agreement where Ankr will be covering Helio Protocol’s bad debt as a result of this exploit event.
Helio Protocol will also be changing the collateral used to mint HAY and will use the new ankrBNB token instead of the existing aBNBc token.
Helio stated, “Customer safety is a top priority at Helio Protocol. The team will continue working to identify ways to further mitigate the situation and address community concerns moving forward.”
Compiled by Coinbold