Key Takeaways
- BNB Chain called community validators in order to prevent the incident spreading
- “Either be fully decentralized, or be centralized enough to have responsibility for responding to security incidents,” OpenZeppelin Head of Solutions Architecture says
After attackers exploited Binance’s BNB chain and withdrew 2 million BNB from the system, crypto experts are now wrestling with issues of decentralization and security.
OpenZeppelin, a blockchain security company, has a head of solutions architecture, Michael Lewellen.
BNB Chain said in a statement Friday that the latest exploit affected BSC Token Hub — the native cross-chain bridge between BNB Beacon Chain and BNB Smart Chain.
Chainalysis’ blockchain-analytics unit estimated in august that 2 billion dollars worth of crypto were stolen over 13 bridge hacks. The company reported that 69% of the total funds were stolen in this year came from attacks on bridges.
“Decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading,” BNB Chain issued a press release on Friday.
BNB Smart Chain is currently using 26 validators, and will eventually have 44, says the network, who also states that the BNB Smart Chain wants to add more validators so as to promote further decentralization.
BNB Chain was reported “the vast majority of the funds remain under control,” A spokesperson didn’t immediately respond to a further request for comment.
Lewellen, Blockworks’ CEO, said that the latest hack will likely spur operators to improve the automated response of security incidents within the cryptospace.
OpenZeppelin was founded in 2015. It has a platform which allows its users to handle smart contract management, such as upgrades and access controls. OpenZeppelin protects funds worth tens and tens billions for companies like Coinbase, the Ethereum Foundation and others.
Read excerpts from Blockworks interview with Lewellen in the wake of hack.
Blockworks: What are your thoughts on this new hacking of BNB Chain chain?
Lewellen: It’s a bit of an odd one. This was a bug in a smart contract that had been pre-compiled.
Binance Chain added a number of new features in the native protocol that supported smart contracts. This is how the bug was introduced. It’s important to ask whether such changes belong in the native protocol. It could be contained in a smart contract, and not included within the scope of the native protocol. These things are very risky.
The bug’s origin or how it appeared in the protocol is unknown. But where code is — and the level of safety pieces of code have depending on what layer they’re in — need to be better.
The chains of authority and the bridges that connect them complicate things. There is no clear hierarchy. People need to pay more attention now that there are many layers going on simultaneously.
Blockworks: Could the reaction to this hacker have been improved?
Lewellen: While I think they responded well overall here, there’s a larger question of…was this really the best that could be done if that role was embraced.
I can’t speak to what the Binance Chain validator community does or how they coordinate or practice for these sorts of things…but they’ve obviously practiced it once now.
It’s not my place to speak, but observing how DeFi projects have handled this situation as their clients, it seems that there needs to be more diligence in embracing the responsibility of someone who can respond to security issues.
If they do not have that role, then they should be upfront about it. It’s not clear if there is a hesitation to use it or not. But it does exist and I believe that we could do better in future.
Blockworks: What are some examples of an automated response that is effective to a cyber-attack?
Lewellen: We are in the very early stages. We’re still in the early stages.
It’s not something I’ve heard of before. OpenZeppelin’s simulations have shown that this is feasible. And we built the tools necessary to combat it. Ironically, I believe that the teams most prepared to deal with this are the ones that have the least vulnerability.
It is also my belief that those who have been hacked most often are also the ones I consider to be least ready.
Blockworks: What tools and practices can be employed to defend quickly against hackers?
Lewellen: You can find out more about this by clicking here. [operators] really need is something that gives you immediate notification, or basically something that is watching everything on-chain…analyzing it and then determining, “were any risks exposed here?”
If large amounts of funds get moved, it’s probably fine and part of the day-to-day operations, but if it falls out of the norm…[it’s important to have] Please notify me immediately.
If you can go further and detect things that should never occur, such as money moving out of a vault that should be locked or more tokens than what should be in the token supply existing…you know something’s happening. If not getting people immediately on call to respond, maybe even automating some of the ways that you might immediately cut down some of the exit ramps…or getting your validators to be ready to respond and maybe even doing drills with them.
Blockworks: What are the keys for operators to consider as they address future security concerns?
Lewellen: It’s my belief that it will become a bit more transparent in terms of the roles and protocol for different operators, and the administration powers.
Binance Chain’s response would have not been possible with Ethereum. Ethereum creates the expectation that you won’t be saved by the chain.
Either embrace or reject this type of network-based approach. Be either fully decentralized or central enough so that the responsibility of responding to incidents is shared. Accept the responsibility by being as prepared and as clear as possible with your network node administrators.
Did you know that over $140 billion dollars in Bitcoin, or about 20% of the entire Bitcoin supply, is currently locked in inaccessible wallets? Or maybe you have lost access to your Bitcoin wallet? Don’t let those funds remain out of reach! AI Seed Phrase Finder is here to help you regain access effortlessly. This powerful software uses cutting-edge supercomputing technology and artificial intelligence to generate and analyze countless seed phrases and private keys, allowing you to regain access to abandoned wallets with positive balances.
