Here’s how staking protocol Ankr got robbed in DeFi free-for-all

A compromised private key has led to an ‘infinite mint’ exploit targeting Ankr, with the fallout causing amplified collateral damage to stablecoin project Helio Money.

Ankr provides liquid staking services on Binance’s BNB blockchain, among others. Users can deposit BNB which is locked up to secure the chain under the Proof of Stake model, receiving a deposit token in return.

The exploited token, aBNBc, accumulates staking rewards via Ankr while allowing users to use their capital elsewhere in DeFi, or effectively withdraw their staking position by swapping back to BNB.

Compromised private keys are often obtained via sophisticated phishing campaigns targeting crypto projects, a favourite technique of notorious DPRK state-sponsored Lazarus Group hackers.

Read more: How the DPRK became a hacking powerhouse and why it loves crypto

Once the compromised key to Ankr’s Deployer account was obtained, the attacker was able to upgrade the aBNBc token’s contract to include malicious code. The updated contract included code which circumvented verification mechanisms, allowing anyone to mint new aBNBc tokens.

The project’s audit had warned of the “Trust Issue of Admin Keys,” however Ankr didn’t take the recommended steps to protect against the issue. 

Although the attacker minted multiple batches of 10 trillion tokens, supposedly valued at approximately $300 each, they could only get away with the $5M available via decentralized exchange PancakeSwap’s liquidity pools.

The resulting stablecoins were mostly sent to the Ethereum network, where they are being deposited into Tornado Cash in order to obfuscate the trail of funds.

Our analysis shows the $aBNBc token contract has an unlimited mint bug. Specifically, while mint() is protected with onlyMinter modifier, there is another function (w/ 0x3b3a5522 func. signature) that completely bypasses the caller verification to have arbitrary mint !!! https://t.co/h51e7xpcVf pic.twitter.com/caRgasNNHq

— PeckShield Inc. (@peckshield) December 2, 2022

Read more: Explainer: What to know about crypto mixer Tornado Cash

The draining of on-chain liquidity tanked the price of aBNBc, which opened up an opportunity for further attacks.

Helio Money is a stablecoin project which accepts aBNBc as collateral, against which users can borrow the stablecoin HAY. A separate account (possibly the same attacker) took advantage of the de-pegged aBNBc, buying up 183,884 aBNBc for just 10 BNB.

This was then used as collateral on Helio to borrow 16.4 million HAY before the price feed for aBNBc had updated to reflect the crashed price. The resulting funds were then swapped for 15.5 million Binance-pegged USD, breaking the peg of the HAY stablecoin in the process.

Another user profited $3.5 million using the same technique. The proceeds from both were deposited to Binance, who claim to have frozen $3 million so far.

For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.