By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts.
On December 02, 2022, the dumping of massive amount of aBNBc tokens on decentralized exchange opened the door for another exploit in which Helio Protocol was attacked and profited the attacker by approximately $15.5 million.
The root cause of the vulnerability is due to the failure of oracle in updating the price of the associated tokens after they had crashed to a significantly lower value than they earlier trading price.
The Ankr protocol had suffered a governance key compromise, allowing an attacker to mint massive amount of $aBNBc tokens. We have outlined the detailed analysis of the exploit in our blog post.
After the Ankr Exploiter dumped $aBNBc tokens, another user bought
183,885 $aBNBc tokens from 1inch for just 10 $BNB, which were worth about $2,879 at the time the event took place.
The attacker then deposited the 183,884 $aBNBc tokens into Helio Money to receive back 191,130 $hBNB tokens.
The price oracle of Helio was not updated during the exploit that took place with the $aBNBc tokens.
The attacker used the $aBNBc tokens they had already deposited as collateral to borrow 16,444,740 $HAY
tokens.
The attacker then swapped
16,444,740 $HAY tokens to 15,504,986 BUSD.
The swapped BUSD is then transferred to this address
involving three different transactions, and then to Binance hot wallet.
Changpeng Zhao, CEO of Binance also tweeted
that the Binance exchange had frozen around $3 million of the funds that the hackers had moved to their CEX during this process.
The stablecoin $HAY de-pegged following the incident and fell to a low of roughly $0.21.
In a statement
, the team explained that they were collaborating with Ankr Protocol to resolve the issue and that they had proposed a bilateral arrangement in which Ankr would pay for Helio's bad debt as a result of this exploit.
Additionally, in order to aid with the re-peg of $HAY, Ankr would be purchasing any extra $HAY that is produced as a result of the discounted $aBNBc and send it to a burn address.
There is no silver bullet when it comes to price oracles. However, oracles like ChainLink
can help to prevent such attacks to a great degree.
Because this is an oracle price manipulation attack, the effect of this attack could have been considerably reduced if the Helio Protocol had a dedicated cover pool in the Neptune Mutual marketplace. We normally do not provide oracle attack coverage, but we can make an exception in some cases.
Users who acquire our parametric cover policies
are not required to present loss evidence in order to receive payouts. The payouts can be claimed as soon as an incident like this is resolved via our governance system.
Furthermore, please keep in mind that just auditing smart contracts alone for vulnerabilities is insufficient. Neptune Mutual's security team can evaluate your preferred protocol for DNS and web-based security, smart contract evaluations, and frontend and backend security.
We have sent email confirmation. Please confirm to receive our
newsletter.
Unfortunately, something went wrong while trying to complete your
request. Please try again later. If the problem persists, do not
hesitate to let us know through the community channels.
