After Action Report: Our Findings From the aBNBc Token Exploit
December 20, 2022
4 min read
After restoring security and responding to the events of the Dec. 1st exploit of our aBNBc token, Ankr has carefully reviewed the facts and taken steps to prevent any attacks like it in the future. Regardless of any damage done, we are proud of how the team handled the situation at every turn and did right by taking care of our community.
After the hack Ankr immediately:
- Restored security and worked with DEXs to halt trading
- Formed and executed a thorough recovery plan for the community
- Identified the exploiter (currently working with law enforcement to take appropriate legal action)
Who Caused The Exploit?
A former team member (who is no longer with Ankr) acted maliciously to conduct a combination of a social engineering and supply chain attack, inserting a malicious code package that was able to compromise our private key once a legitimate update was made. We are in the process of working with law enforcement to prosecute the former team member and bring them to justice. Unfortunately, internal bad actors can affect any protocol and we are working on shoring up internal HR processes and safety measures to strengthen our security posture going forward.
How Did We Respond?
Immediate Action Taken To Halt the Attack
Right away, Ankr took several actions to minimize any damage from the exploit:
- Communicated the exploit to the public and executed plans to resolve the situation as quickly as possible.
- Alerted known off-ramps to implement their emergency plans and halt trading
- Secured the smart contracts with a new key, preventing any further tampering.
- Updated smart contracts and systems to temporarily pause the movement of the underlying collateral (BNB) within our liquid staking product to be safe.
Formed a Recovery Plan
Ankr took several measures to start compensating users to the full extent of the losses they incurred as a result of the exploit. The team used our own Advanced API Tool to find every aBNBc token holder in 10 seconds – a task that would have taken several hours to complete using normal query methods on a dedicated node.
- Took a snapshot to identify affected users
- Created a new ankrBNB token
- Airdropped the token to affected holders
- Determined reimbursement plan for most impacted users
Reimbursed Our Community
Ankr is a Web3-native organization with an extremely strong community. To uphold this reputation, we needed to do the right thing and reimburse all token holders who were affected.
- Fixed damage to Helio (aBNBc borrowing platform) by re-stabilizing HAY Price. We will continue purchasing HAY if the token remains unpegged until all funds are spent.
- Airdropped ankrBNB to the affected aBNBc or aBNBb token holders
- Airdropped BNB to all affected DeFi liquidity providers
- Reached an agreement to reimburse Wombat stkBNB LPs and planned to provide 100% coverage of the BNB Wombat LPs.
See more details on our recovery plan.
What Are We Improving?
Ankr is now implementing several improvements to our security posture. Here are a few notable reinforcements:
Requiring Multi-sig Authentication & Timelocks for All Updates
The exploit was possible partly because there was a single point of failure in our developer key. We will now implement multi-sig authentication for updates that will require signoff from all key custodians during time-restricted intervals, making a future attack of this type extremely difficult if not impossible. These features will improve security for the new ankrBNB contract and all Ankr tokens.
Revamping internal security measures
Ankr will now require escalated background checks for all employees (including all contractors and remote workers) while taking extra measures to verify the current status of those currently working at Ankr. We are also reviewing access rights and taking extra steps to minimize entry to any sensitive systems.
Implementing new monitoring & notification systems
The team was able to catch the attack extremely quickly, but we can always work on improving our response time. We are implementing new notifications systems to alert key personnel so they can be online faster during any time of day.
Refining procedures for working with DeFi protocols
Now that we’ve been through the experience of working with teams from other protocols after an incident, we can improve the process with precedent set for responding with international teams in streamlined communication channels.
More Updates To Come
We want to thank the community for your ongoing support during this time!
We are still working on ensuring all loose ends are tied up and all affected users we identified have been reimbursed. Our goal is to resolve every inquiry that has stemmed from the exploit and this will take time. Thank you for your patience and understanding.