Following yesterday's confirmed multi-million dollar exploit, BNB Chain based protocol Ankr took to its company blog on Dec. 2 to relay its next steps to users.
The team said it was identifying liquidity providers to decentralized exchanges (DEXs) as well as protocols supporting aBNBc or aBNBb LP. The group also said it is assessing aBNBc collateral pools, such as Midas and Helio. According to the post, Ankr intends to purchase $5 million worth of BNB (BNB), which it will use to compensate liquidity providers affected by the exploit.
Some users speculatively traded diluted aBNBc after the exploit had occurred as well, but the company indicated that these traders won’t be included in the protocol’s recompense measures stating, “we are only able to compensate LP’s caught off guard by the event.”
The developers gave a brief explanation as to how the hack occurred. A malicious actor gained access to the team’s “deployer key” or the key originally used to deploy the protocol’s smart contracts. Since the contracts are upgradeable, this allowed the attacker to deploy an entirely new version of one of the contracts, which gave them the ability to mint an unlimited number of coins “without authorization checks.”
After gaining this power, the team said that the attacker minted 60 trillion aBNBb tokens “out of thin air.” These were swapped for USD Coin (USDC) and moved off the network through bridges to Ethereum.
In response, the team first transferred ownership of the contracts to a new, uncompromised account. This secured the contracts, preventing the attacker from doing any further damage. Ankr’s validators, RPC API and App Chain services were not compromised, so transferring ownership of the contracts was the only action needed to restore security.
Next, Ankr alerted all DEXs to not allow trading of aBNBc or aBNBb, and it is currently going through the process of identifying liquidity providers for these tokens, such as those supplying the tokens to Helios and Midas.
The blog post emphasized that the current versions of aBNBc and aBNBb will no longer be redeemable for BNB. A snapshot will be taken of the balances that users had before the exploit. New versions of these tokens will be issued, and tokenholders will be compensated with the new coins based on the balances they had before the exploit. For this reason, the team cautioned users not to trade aBNBc or aBNBb.
Ankr also mentioned that it realized some users have engaged in arbitrages to profit from the exploit, but these arbitrages will not be rewarded, as the snapshot will be taken for the time and date of Dec. 2, 2022, 12:43:18 am UTC. All trades done after this time will not affect the holder’s reimbursement.
In addition, the developers stated that liquidity providers should remove their aBNBc and aBNBb tokens from their liquidity pools and hold the tokens in their wallets instead.