By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts.
On December 02, 2022, the dumping of massive amount of aBNBc tokens on decentralized exchange opened the door for
another exploit in which Helio Protocol was attacked and profited the attacker by approximately $15.5 million.
The root cause of the vulnerability is due to the failure of oracle in updating the price of the associated tokens
after they had crashed to a significantly lower value than they earlier trading price.
The Ankr protocol had suffered a governance key compromise, allowing an attacker to mint massive amount of $aBNBc
tokens. We have outlined the detailed analysis of the exploit
in our blog post.
After the Ankr Exploiter dumped $aBNBc tokens, another user bought 183,885 $aBNBc tokens from 1inch for just 10 $BNB, which were worth about $2,879 at the time the event took
place.
The attacker then deposited the 183,884 $aBNBc tokens into Helio Money to receive back 191,130 $hBNB tokens.
The price oracle of Helio was not updated during the exploit that took place with the $aBNBc tokens.
The attacker used the $aBNBc tokens they had already deposited as collateral to borrow 16,444,740 $HAY tokens.
The attacker then swapped 16,444,740 $HAY tokens to 15,504,986 BUSD.
The swapped BUSD is then transferred to this address involving three different transactions, and then to Binance hot wallet.
Changpeng Zhao, CEO of Binance also tweeted that the Binance exchange had frozen around $3 million of the funds that the hackers had moved to their CEX
during this process.
The stablecoin $HAY de-pegged following the incident and fell to a low of roughly $0.21.
In a statement, the team explained that they were collaborating with Ankr Protocol to resolve the issue and that they had
proposed a bilateral arrangement in which Ankr would pay for Helio's bad debt as a result of this
exploit.
Additionally, in order to aid with the re-peg of $HAY, Ankr would be purchasing any extra $HAY that is
produced as a result of the discounted $aBNBc and send it to a burn address.
There is no silver bullet when it comes to price oracles. However, oracles like ChainLink can help to prevent such attacks to a great degree.
Because this is an oracle price manipulation attack, the effect of this attack could have been considerably reduced
if the Helio Protocol had a dedicated cover pool in the Neptune Mutual marketplace. We normally do not provide oracle
attack coverage, but we can make an exception in some cases.
Users who acquire our parametric cover policies are not required to present loss evidence in order to receive payouts. The payouts can be claimed as soon as an
incident like this is resolved via our governance system.
Furthermore, please keep in mind that just auditing
smart contracts alone for vulnerabilities is insufficient. Neptune Mutual's security team can evaluate your preferred
protocol for DNS and web-based security, smart contract evaluations, and frontend and backend security.
We have sent email confirmation. Please confirm to receive our
newsletter.
Unfortunately, something went wrong while trying to complete your
request. Please try again later. If the problem persists, do not
hesitate to let us know through the community channels.
