Monday 30 January 2023
Home / none / Ankr says ex-employee caused $5M exploit, vows to improve security

Ankr says ex-employee caused $5M exploit, vows to improve security

A $5 million hack of the Ankr protocol on Dec. 1 was caused by a former team member, according to a Dec. 20 announcement from the Ankr team.

The ex-employee conducted a “supply chain attack” by putting malicious code into a package of future updates to the team’s internal software. Once this software was updated, the malicious code created a security vulnerability that allowed the attacker to steal the team’s deployer key from the company’s server.

Previously, the team had announced that the exploit was caused by a stolen deployer key that was used to upgrade the protocol’s smart contracts. But at the time, they had not explained how the deployer key had been stolen.

Ankr has alerted local authorities and is attempting to have the attacker brought to justice. It is also attempting to shore up its security practices to protect access to its keys in the future.

Upgradeable contracts like those used in Ankr rely on the concept of an “owner account” that has sole authority to make upgrades, according to an OpenZeppelin tutorial on the subject. Because of the risk of theft, most developers transfer ownership of these contracts to a gnosis safe or other multisignature account. The Ankr team said that it did not use a multisig account for ownership in the past but will do so from now on, stating:

“The exploit was possible partly because there was a single point of failure in our developer key. We will now implement multi-sig authentication for updates that will require signoff from all key custodians during time-restricted intervals, making a future attack of this type extremely difficult if not impossible. These features will improve security for the new ankrBNB contract and all Ankr tokens.”

Ankr has also vowed to improve human resourc practices. It will require “escalated” background checks for all employees, even ones who work remotely, and it will review access rights to make sure that sensitive data can only be accessed by workers who need it. The company will also implement new notification systems to alert the team more quickly when something goes wrong.

The Ankr protocol hack was first discovered on Dec. 1. It allowed the attacker to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), which was immediately swapped on decentralized exchanges for around $5 million in USD Coin (USDC) and bridged to Ethereum. The team has stated that it plans to reissue its aBNBb and aBNBc tokens to users affected by the exploit and to spend $5 million from its own treasury to ensure these new tokens are fully backed.

The developer has also deployed $15 million to repeg the HAY stablecoin, which became undercollateralized due to the exploit.

Original Article

About Jude Savage

Check Also

Solana price rally risks exhaustion after SOL’s 120% pump in two weeks

Solana (SOL) price is up an impressive 60% since the new year, partially boosted by hype surrounding meme cryptocurrency Bonk (BONK). However, the SOL/USD pair now shows signs of exhaustion, raising anticipations that the token may see a short-term correction in the coming days. Solana turns overboughtSolana is one of the best performing cryptocurrencies so far in 2023 after being one of the biggest losers in 2022. On Jan. 9, SOL's price jumped to as high as $19.50, or around 120% gains in a recovery rally after sliding below $8 on Dec. 29, 2022. But the price spik also turned Solana into an overbought asset, per its daily relative strength index (RSI) reading above 70, as shown below. SOL/USD daily price chart. Source: TradingViewTraditional investors typically see an overbought RSI as a potential sell signal, given the indicator has historically coincided with a period of buyer exhaustion. As a result, SOL's price could enter a correction or a sideways consolidation stag..

Leave a Reply

Your email address will not be published. Required fields are marked *