$110 million Binance hack proves blockchain bridge vulnerability

$110 million Binance hack proves blockchain bridge vulnerability

Blockchain bridges have long been understood to be a weak link in the whole chain of decentralized finance, but if you needed a reminder of that fact, a potential $570 million hack should serve more than adequately. Binance, the self-styled “largest crypto exchange by trading volume” is your host for this latest lesson in the perils of a major monetary system with a weak link. A Binance-linked blockchain suffered the multimillion dollar hack late on Thursday, October 6^th.

While CEO Changpeng Zhao, initially sought to calm users of the crypto exchange, assuring users that “your funds are safe,” Binance reacted swiftly, suspending its whole blockchain network, BNB Smart Chain, while it worked out what had happened – and if there were any way of chasing the perpetrators or reversing the outcome.

A mitigated risk

Ultimately, of the $570 millions worth of tokens initially lifted from the chain, around $460 million was frozen on the BNB Chain before it could be translated into hard cash. For whoever the hackers are, though, a $110 million paycheck will probably make it worth trying again in the future – or potentially, worth selling their methodology on the dark web to other bad actors with a point to prove and a payday to earn.

Targeting a cross-chain bridge – as the Binance hackers did – is nothing particularly new, especially in recent months. Bridges are the infrastructure you need to switch assets between different blockchains, and like any intersection points in the real world, they open up potential for attack because they’re inherently points in the system where standardized security is likely to be weaker than it is elsewhere.

It’s also true that bridge exchanges typically store large reserves of various tokens or assets, for the speedy transaction of business or the transfer of assets from one chain to another. The combination of weaker security and large stores of assets are almost a perfect storm for would-be attackers – and in recent months, those attackers have been increasingly bent on proving that they can take from the pot as and when they want.

A growing problem

While the $100 million taken from the Binance chain gives the numbers a fillip, over $1.2 billion has been stolen from bridges in 2022 alone, indicating an increasingly serious issue that needs addressing. In August, bridge provider Nomad had £190 million, following a similar $100 million bridge heist from provider Harmony in June, and the eye-watering $625 million hack of the Axie Infinity Ronin bridge in March, 2022.

Two things can be learned from this. Firstly, the Binance hack is in and of itself nothing particularly special – hackers have found a new and relatively easy way to raise enormous sums of money, by focusing their attention on blockchain bridges. They’re likely to continue to hit those bridges for as long as they remain profitable targets, and as long as they remain relatively straightforward to attack.

And secondly, the thing that makes the Binance hack noteworthy is that it was a Binance hack. A hack on the bridge of the world’s largest crypto exchange – with all the market-rippling fear that entails. There can be, and there have been bigger hauls. But if you’re a crypto bridge hacker wanting to announce yourselves to the world of the dark web, the Binance hack is the one you want on your resume. It’s the Mona Lisa of crypto hacks. The Bonnie and Clyde of decentralized bank robberies. Essentially, it’s the Olympic gold medal of crypto hacks, simply because Binance as a name is so big, so well-known, and so very dependent on this kind of thing not happening to it. Of course, it’s worth acknowledging the Harmony Horizon hack, too, which also sucked money out of a bridge used by Binance.

Credit where it’s due

The October heist put the BNB blockchain offline for around nine hours. Those will have been nine extremely tense hours for crypto investors with their assets on the Binance chain. The exchange put out a call to all of the validators on the compromised chain, to ensure it was back up and running as soon as possible.

To give Binance the credit it is due, Binance quickly took ownership of the issue. On a blog post on Friday morning, it said “First, we want to apologize to the community for the exploit that occurred. We own this. Thanks to the assistance of all the security experts, projects, and validators, the vast majority of the funds remain under control.” And there’s a truth beyond the media-speak there – if the security experts and validators had not reacted swiftly, it’s very likely Binance would have been looking at a $500 million blockchain bridge heist – which would have put a much bigger dent in the company’s investor trust profile than the $110 million reality will do.

The need for global action

What’s more, Binance was already on record as acknowledging the need for global regulation of crypto markets. Back in 2021, it acknowledged that crypto platforms had an obligation to protect their users and investors, and to implement processes to prevent financial crimes like blockchain bridge heists.

It seems likely that October’s Binance bridge hack will only light a further fire under the exchange’s determination to work with global regulators to establish tough rules and security protocols. Given that hackers appear to have found ways to compromise blockchain bridges to the tune of over $1.2 billion in the course of ten months, such rules and protocols probably can’t come soon enough for everyone involved in the crypto world.