How Attackers Made $15M From Staking Platform Helio After Ankr Exploit
An unknown group of attackers were able to drain some $15 million in liquidity from BNB Chain-based staking platform Helio on Friday morning after exploiting an oracle issue on the protocol, on-chain data shows.
Oracles are third-party services that fetch data from outside sources to within a certain blockchain. Oracles are extensively used by decentralized finance (DeFi) protocols to ensure their lending, borrowing and other services are accurate. Delays, however, could mean the loss of funds as malicious traders take advantage of price differences.
The Helio exploit came hours after the DeFi Ankr was attacked for $5 million. The Ankr attacker was able to mint 6 quadrillion aBNBc tokens, which they eventually turned into roughly 5 million USDC, as CoinDesk reported.
The Ankr exploit saw the prices of aBNBc tokens plunge 99% in the minutes following the attack, setting the base for the second exploit on Helio. It is unclear at writing time if both the attacks were conducted by the same attacker or group of attackers.
Blockchain data shows that the Helio attacker acquired some 183,000 aBNBc tokens with 10 BNB during Asian morning hours on Friday. Delayed oracle data on Helio then allowed the attacker to borrow $16 million worth of HAY stablecoin.
2/ Step 3:— BlockSec (@BlockSecTeam) December 2, 2022
Since the attacker has deposited aBNBc, it can borrow 16,444,740 HAY (since the price oracle of Helio has not been updated -- using the wrong price of aBNBc). https://t.co/ks2d5Q9zli
The HAY staking pool continues to hold some $19 million in locked funds, with developers stating in European afternoon hours that staked funds remained safe. Helio said in a separate tweet that it was working to mitigate the ongoing situation and asked users to avoid transacting in HAY.
Meanwhile, some $3 million linked to the attack were frozen by crypto exchange Binance that were allegedly moved by the attackers to the exchange, founder Changpeng Zhao said in a Friday tweet.