On the 2nd of December, 2022, the Ankr Protocols suffered from an exploit. The wallet of the Ankr contract deployer got compromised, which was the root cause of the attack.
The malicious contract allowed unlimited minting of tokens, which was the main cause of the attack. The attacker then minted 10 trillion tokens to his address by calling 0x3b3a5522 the function of his malicious contract.
More than $5 million was stolen by hackers. The attacker quickly moved assets to Tornado Cash and bridged tokens to other chains like Ethereum and Polygon.
Tekedia Mini-MBA edition 16 (Feb 10 – May 3, 2025) opens registrations; register today for early bird discounts.
Tekedia AI in Business Masterclass opens registrations here.
Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.
The Ankr liquid staking service provides integrators and stakers a flexible way to stake and earn from blockchains. Typically, staking involves locking up your tokens for some time, during which they can’t be used.
With liquid staking, Crypto asset holders can stake their assets on Ankr and receive liquid staking tokens to access numerous DeFi opportunities.
The deployer’s wallet’s private key was hacked, which led the attacker to gain full control of the wallet and upgrade contract implementation with his malicious contract.
On-Chain Details:
The attacker compromised the deployer’s wallet and created a new implementation contract.
Then the attacker replaced the $aBNBc contract’s implementation by upgrading the implementation contract.
Next, he called the 0x3b3a5522 function and minted 10 trillion aBNB tokens into his wallet.
After minting tokens, the attacker sent 1.125 BNB from the deployer’s compromised wallet to his wallet which was used as gas fees for further transactions.
Then, the attacker started swapping tokens and transferring amounts to tornado cash and other bridges like Ethereum and Polygon.
The Ankr Team announced the hack on Twitter and immediately halted trading on exchanges. Additionally, Binance froze stolen cryptocurrency worth $3 million.
Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.
— Ankr (@ankr) December 2, 2022