Binance’s Crypto Dips on Heels of Confirmed Exploit on BNB Chain

UPDATED: The hacker successfully extracted around $100 million before being shut down

article-image

Source: DALL·E

share

key takeaways

  • Early indications are that Binance’s network has been hacked for hundreds of millions of dollars
  • According to on-chain analysis by Blockworks’ Research, the attacker, or attackers, have managed to “bridge out” to several other chains, including Avalanche and Polygon

Binance’s network, BNB Chain, has been hacked for potentially hundreds of millions of dollars in what the cryptocurrency exchange initially dubbed a “potential exploit” of a cross-chain bridge and later confirmed, promising a full post-mortem.

Binance on Twitter said it had paused its network, sending the price of Binance Coin (BNB) lower on the news, as the cryptoasset changed hands for as little as $279 by 7:50 pm ET. By Friday morning, the price had recovered to around $285, according to data compiled by Blockworks.

“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly,” Binance CEO Changpeng Zhao later confirmed via Twitter.

BSC Token Hub is the bridge between BNB Beacon Chain (BEP2) and BNB Chain (BEP20 or BSC). Binance had earlier said it was temporarily pausing its chain due to “irregular activity.”

Eagle-eyed Twitter users appeared to be the first to identify roughly two million BNB — more than $566 million — that had been transferred to an apparent attacker’s address who has so far managed to bridge out somewhere in the neighborhood of $110 million.

In a post on Reddit at around 7:15 pm ET, Binance thanked node service providers for their “quick and attentive response.”

Those providers include Hash, Neptune, TW Staking, BSCScan, Legend, CertiK, Figment, NodeReal, Namelix, Defibit, Fuji, InfStones, MathWallet, Pexmons, Ankr, BNB48 Club, Avengers, Tranchess and Coinbase Cloud.

Stewards of BNB Chain are now requesting BSC Validators to get in touch with them over the next few hours to plan a node upgrade.

Total losses could prove to be much less

The wallet address, confirmed by Ryan West, a Blockworks’ Research analyst, shows the wallet has transferred roughly $53 million of BNB to ether (ETH), plus $48 million to the Fantom blockchain, as well as additional funds to the Avalanche, Optimism and Polygon protocols.

“Thanks to the community and our internal and external security partners, an estimated $7M has already been frozen,” Binance tweeted shortly after advising users of the exploit.

The same wallet belonging to the attacker is blacklisted from Tether, per West.

Roughly $433 million, 80% of the total, remained on the BNB Chain a few hours after the stock market’s closing bell in New York, cybersecurity firm Halborn told Blockworks. Counting these funds, it would mark the industry’s second-largest hack, following the Axie Infinity Ronin Bridge exploit in March for $625 million.

According to on-chain analysis, the attacker used the cross-chain bridge protocol Stargate to transfer out. Binance representatives did not immediately return a request for comment.

BNB Chain, via Twitter, puts the loss — funds moved off of the halted BNB chain — at between $70 million and $80 million.

Understanding the mechanics of the exploit

Paradigm researcher Sam Sun, better known as @Samczsun on Twitter, published a detailed analysis of the exploit explaining how the attacker manipulated a bug in the Binance Bridge.

Loading Tweet..

“The threat actor did not need any inside information in order to effectuate this attack,” David Schwed, chief operating officer at Halborn, told Blockworks via Telegram, adding “all information required to exploit was publicly available.”

Next steps for BNB community

BNB Chain posted an update at around 5 am ET, calling the exploit “a sophisticated forging of the low level proof into one common library.”

Although the BNB Chain is paused, the bug remains active and will need to be fixed before full service can be restored.

The blog post calls for an on-chain governance vote to assess the next steps in four areas:

  1. What to do with the hacked funds — freeze or not to freeze?
  2. Whether to use BNB auto-burn to cover the remaining hacked funds, or not?
  3. A whitehat program for future bugs found, $1 million for each significant bug found.
  4. A bounty for catching hackers, up to 10% of the recovered funds.

To safely enable such a vote, the “validator voting function for general opinions will be switched on in the next few days via an upgrade of BNB Beacon Chain,” the post said.

No specific timeline is set for reactivation of the chain.

The simple fact that the BNB Chain could be halted in this manner calls into question the decentralization of the project, which has only 26 active validators. BNB Chain acknowledged the concern, but portrayed it as a strength.

“Decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading,” they said, adding “This delayed closure, but we were able to minimize the loss.”

Macauley Peterson contributed reporting.

This story was updated on Oct. 7 at 5:30 am ET and 8:57 am ET.


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

recent research

LTIPPanalysis.png

Research

This report is a retroactive analysis of Arbitrum's Long Term Incentives Pilot Program (LTIPP). We collect relevant data at a protocol level and review bi-weekly updates to analyze recipients, their strategies, and the impact of the incentives on high level growth metrics. In particular, we want to highlight outperformers and underperformers, and glean any best practices or lessons learned for protocols distributing ARB incentives in the future. The overarching goal is to synthesize lessons learned that the DAO can reference as it begins thinking about future incentives programs–namely, the working group for incentives that is being actively discussed–especially as Timeboost introduces new conditions for trading and economic activity.

article-image

Sponsored

AI project Zerebro intersects the spheres of artificial intelligence, finance, art, music, and culture

article-image

Allmight is focused on furthering the United States’ leadership in crypto

article-image

The conditions Charles Schwab is waiting for before jumping headfirst into crypto could take shape soon

article-image

The FCA’s director of payments and digital assets shared some takeaways from chats with crypto companies and law firms

article-image

Let’s take a look at how US equities typically perform this time of year and what we might see in the coming days

article-image

Lumina introduces transparency and permissionless integration via an OP stack-based optimium, challenging traditional oracle designs