DeFi Protocol Ankr Exploited for Over $5M

DeFi protocol Ankr, which called itself the first ‘node-as-a-service’ platform, has suffered a multi-million dollar exploit due to a bug in its code that allowed for unlimited minting of its token.

Our analysis shows the $aBNBc token contract has an unlimited mint bug. Specifically, while mint() is protected with onlyMinter modifier, there is another function (w/ 0x3b3a5522 func. signature) that completely bypasses the caller verification to have arbitrary mint !!! https://t.co/h51e7xpcVf pic.twitter.com/caRgasNNHq

— PeckShield Inc. (@peckshield) December 2, 2022

According to security research firm PeckShield, the code behind the Ankr contract allows any user to mint an unlimited amount of the protocol’s reward-bearing staking tokens without any sort of verification. This allowed the attacker to mint six quadrillion of the aBNBc token.

Since minting the quadrillions of aBNBc token, the attacker was able to swap 20 trillion of the aBNBc token for BNB, then move it to Tornado Cash. The attacker then swapped the BNB tokens for 5 million USDC.

As the hacker has nearly completely drained the aBNBc liquidity pools on PancakeSwap and ApeSwap, the token has lost nearly 99% of its value, according to CoinGecko data.

Ankr tweeted that all staked assets within the protocol are currently safe.

On-chain analyst firm Lookonchain reported that one opportunistic trader was able to cash in on the exploit and turn 10 BNB ($2,885) into 15.5 million BUSD. The trader did this by taking advantage of DeFi lending protocol Helio, which did not have up-to-date pricing on aBNBc post-crash.

The trader was also able to use the pre-crash pricing for aBNBc to borrow $16 million of the little-traded HAY stablecoin and convert that into BUSD. Since then, the HAY stablecoin has been tossed off its peg, hitting a low of 20 cents, and is now recovering, according to CoinMarketCap, with a price of 77 cents.