Attackers pocket $20 million in exploits on Ankr and Helio

Quick Take

  • Ankr and Helio Protocol lost a total of $20 million in two attacks.
  • $3 million of the stolen money sent to Binance was seized.

A series of connected attacks ended up costing infrastructure provider Ankr and stablecoin issuer Helio Protocol a total of $20 million, according to on-chain analysis by security firm BlockSec.

The first attack targeted a liquid staking token product run by Ankr, resulting in a loss of more than $5 million. An unknown hacker leveraged a vulnerability in Ankr's smart contract to mint trillions of aBNBc, a reward token tied the price of Binance’s exchange token BNB, as noted by BlockSec and other analysts.

Once the attacker minted those tokens, they sold and drained all of its liquidity across decentralized exchanges on BNB Chain to get away with more than $5 million. Ankr acknowledged the exploit, adding that it was working with exchanges to stop deposits from addresses connected with the attacker.

As the hacker sold off a large number of aBNBc on decentralized exchanges, the price of the aBNBc token collapsed by more than 99%. This opened the room for the second exploit.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

In this second instance, someone acquired some 183,000 aBNBc tokens with 10 BNB ($2,900), BlockSec detected. The attacker then deposited the tokens into a BNB Chain-based stablecoin issuer Helio Protocol to drain funds.

The attacker was able to borrow $16 million in the HAY stablecoin with a small amount of aBNBc collateral as the oracle system used by Helio Protocol failed to update aBNBc prices after its rapid crash. The attacker swapped their HAY stablecoin for $15 million Binance USD (BUSD), resulting in a massive loss for the protocol. 

BlockSec noted that $15 million of the stolen funds in the second attack moved to crypto exchange Binance. So far, $3 million of the funds have been seized, according to Binance CEO Changpeng Zhao.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]

Editor

To contact the editor of this story:
Tim Copeland at
[email protected]