Hackers get away with $20 million in twin attacks on Ankr and Helio
- Approx. $20 million has been lost in a series of connected attacks on Ankr and Helio.
- $3 million of the stolen money was, however, seized after transfer to Binance.
- The attacks heavily involved aBNBc tokens.
According to an on-chain analysis by security firm BlockSec, Ankr (ANKR/USD) and stablecoin issuer Helio have lost about $20 million in a series of connected attacks.
The first attack targeted a liquid staking token product offered by Ankr while the second attack targeted the Helio Protocol. The attacks come a day after Ankr integrated Coinbase and announced support for Coinbase Wallet liquid staking.
Are you looking for fast-news, hot-tips and market analysis? Sign-up for the Invezz newsletter, today.
The Ankr attack
In the first attack, the hacker leveraged a vulnerability in Ankr’s smart contract to mint trillions of aBNBc, a reward token pegged on the price of Binance’s BNB token.
After minting the aBNBc tokens, the attacker reportedly sold and drained all of the token’s liquidity across decentralized exchanges (DEXs) on the BNB Chain. In total, the tokens that the attacker was able to get away with amounted to about $5 million.
Ankr has already acknowledged the attack and said that it is working with crypto exchanges to block deposits from addresses connected with the exploit.
The attack has caused a drastic fall in aBNBc token price, which has dropped by more than 99%. The sharp aBNBc price decline is suspected to be the reason behind the second exploit on Helio Protocol.
The Helio Protocol attack
In the second attack, the attacker purchased 12.6 million aBNBc tokens using 300 BNB tokens worth about ($87,000). The attacker then deposited the aBNBc tokens into the Chain-based stablecoin issuer Helio Protocol.
The attacker then proceeded to borrow $16 million worth of HAY stablecoin using the deposited aBNBc as collateral. But the oracle system used by Helio Money failed to update aBNBc prices because of its drastic price crash making the attacker swap the borrowed HAY stablecoin for $15 million Binance USD (BUSD/USD).
According to BlockSec, the $15 million worth of BUSD was moved to Binance where about $3 million have been seized so far according to Binance CEO Changpeng Zhao.