Metaguard CEO Savaş Yodem, cryptocoin.com discussed the Binance hack event that shook the market for its readers. Binance Hacked/BNB Hacked took place on 07 October 2022. An attacker stole 2M BNB (~566M USD) from Binance Bridge. When I wanted to analyze the event in terms of Cyber Security, the results I found led me to a very familiar type of attack, Enterprise Internal Threat Attacks.
BNB Hacked truth: A Business Insider Threat Attack?
The cyber attacker convinced Binance Bridge to send 1,000,000 BNB with the Smart Contract vulnerability, which he found, twice. Binance, as I just learned, has a special Smart Contract that is used to validate “IAVL Trees” transactions. If you don’t know anything about “IAVL Trees” operations, don’t worry. Few people know about this contract anyway.
Basically, when an “IAVL Trees” transaction is validated, a list of “operations” is specified, and then Binance Bridge typically waits for a response from either, one an “iavl : v” transaction and the other a “multistore” transaction. Both transactions had to be successful for a proof to be established. At this point, the cyber attacker seems to have succeeded with the manipulated values that he posted to the right spot twice, without making any prior attempts.
Metaguard CEO Savaş YonemIn summary, there was a software bug in the way Binance Bridge validated evidence that could allow attackers to create manipulated posts. Fortunately, the hacker only struck twice here, but the damage could have been much worse if you inspected the target wallet. So the cyber attacker seems to have acted with some mercy.
Another interesting situation in this cyber attack is that the wallet address that made the first transfer from Avalanche (AVAX) Blockchain to the wallet address to which the attacker transferred is highly likely to be Binance’s own cold wallet. If this is Binance’s own cold wallet used in the first transfer, the situation becomes even more interesting. Because there are two options left about the cyber attacker. Namely; Either the cyber attacker has a KYC on Binance and Binance knows who he is, or the cyber attacker is someone with trusted authority among themselves.
Adding the cyber attacker’s expert knowledge of “IAVL Trees” operations, the probability of the attack on Binance being an Enterprise Internal Threat Attack is very, very high.
