Cryptocurrency - Busted!
by lg0p89
When we hear of cryptocurrency, we think of Bitcoin and making millions overnight - and then losing millions the next day.
While this is the outward focus, there is still a backbone of technology. This houses the vulnerabilities that we exploit. Historically, the general attack has been the 51 percent among others. There have been variations of this and others. Recently a newer attack has become more prevalent in certain configurations. This ingenious attack deserves a greater level of attention and applause.
This attack by far is not the first and certainly won't be the last.
In 2022, there was an attack where over two billion dollars were liberated from a company. Many of these attacks had been perpetrated by persons and groups in North Korea.
This time around, the target was the Binance coin.
This wasn't their first rodeo. In 2019, the company was successfully attacked. This time the amount involved was approximately seven thousand Bitcoins - or 40 million dollars. In this round of "We Pwned You," the compromise was initially valued at 100 to 110 million dollars. The updated estimates were changed to the attackers liberating two million BNB tokens, valued at around 568 to 570 million dollars.
With this attack, the focus was on the bridge between the blockchains. For this, they were targeting the Binance Smart Chain (BSC) token hub.
The bridge is pretty much like it sounds. There is a link between two blockchains. This acts like a bridge between the two to facilitate the communication. The communication across the bridge allows for the tokens to be transferred from one blockchain (platform) to another blockchain (platform). This attack point has been a focus for some time.
Pre-attack, the group would have reviewed a threat assessment. The blockchain attacks usually take time and resources, so the weak points would have been looked at more closely. The bridge process provided this with multiple points to attack.
Once this was compromised, the attackers were able to move the tokens off of the Binance network. This vulnerability leveraged an issue with the smart contract. This allowed the attacker to create fraudulent transactions and have the tokens sent to their crypto wallet. Since the smart contracts don't require human interaction to execute (by definition), this was done relatively quickly.
After the attack, they began to move the funds across different liquidity pools. This acted to move the BNB into other assets and quasi-clean it. Only an estimated 70 to 80 million dollars were taken off the blockchain. The remaining money stayed on the blockchain and is not accessible to the attacker(s).
After noticing the anomalous activity, Binance temporarily halted activity and new blocks on the BSC. After the heist, the co-founder of Binance announced the issue was contained. Of the stolen funds off of the blockchain (70 to 80 million dollars), approximately seven million dollars had been frozen.
The attack, while interesting on its own, does highlight the need for creative minds to test and re-test any company's processes and infrastructure. We have to stop only using a checklist and hoping we are good. Without a proper and robust pen-test, companies will continue to have issues.