Ankr is a decentralized web3 infrastructure provider. They have an excellent public RPC service, which I have used myself, and a liquid staking service on several chains. They have also been hacked. On Dec 1st, in an apparent compromise of their deployer key, Ankr was hacked on Binance Smart Chain, losing over $5.5M USD.
The attacker gained access to the Ankr deployer key. Earlier in the day, Ankr performed several maintenance operations related to its tokenomics. Everything seemed in order. It is unknown at this time whether the deployer key leaked during those operations, or whether the attack was planned to coincide with this time.
The affected aBNBc token is an upgradeable token. That means that the admin can change the code at any time. This is exactly what he did, first deploying a malicious attack contract, then changing the token to use the attack code. One transaction later, he was the proud owner of 10 quadrillion aBNBc, which he promptly dumped.
Over the next 30 minutes, the attacker bridged his ill-gotten gains to Ethereum and Polygon. Some $170k remains on Binance Smart Chain, both in the exploiter address, and Tornado Cash.
Ankr is aware of the incident and is working to do damage control. Hopefully we will see a full post-mortem in the next days.
The root cause of this attack lies in their loss of the governance key, but really, that key shouldn’t have been the single point of failure anyway. Multisignature wallets or timelocks are industry standard at this point for a reason. Sure, they’re slightly more complex to use – but changing upgradeable contracts is a complex business anyway. Any team that can manage that, can do it through a multisig. It’s not THAT hard.
Stay safe out there, anon.