Ankr says ex-employee created $5 million exploit and promises to improve security
Ankr says ex-employee created $5 million exploit and promises to improve security
#Ankr #exemployee #created #million #exploit #promises #improve #security Welcome to InNewCL, here is the new story we have for you today:
Click Me To View Restricted Videos
According to a Dec. 20 announcement by the Ankr team, a $5 million hack of the Ankr protocol on Dec. 1 was caused by a former team member.
The former employee conducted a “supply chain attack” by inserting malicious code into a package of future updates to the team’s internal software. Once this software was updated, the malicious code created a security hole that allowed the attacker to steal the team’s deployer key from the company’s server.
After-action report: Our insights from the aBNBc token exploit
We just published a new blog post that goes into detail about this: https://t.co/fyagjhODNG
— Ankr Staking (@ankrstaking) December 20, 2022
Previously, the team announced that the exploit was caused by a stolen deployer key used to upgrade the protocol’s smart contracts. But at the time, they hadn’t explained how the deployer key had been stolen.
Ankr has alerted local authorities and is attempting to bring the attacker to justice. It’s also trying to improve its security practices to protect access to its keys in the future.
Upgradable contracts, as used in Ankr, rely on the concept of an “owner account” which, according to an OpenZeppelin tutorial on the subject, has sole authority to make upgrades. Due to the risk of theft, most developers transfer ownership of these contracts to a Gnosis safe or other multisig account. The Ankr team say they have not used a multisig account for ownership in the past but will from now on, stating:
“The exploit was possible in part because there was a single point of failure in our developer key. We will now implement multi-sig authentication for updates that require approval from all key managers at timed intervals, making a future attack of this type extremely difficult, if not impossible. These features will improve security for the new ankrBNB contract and all Ankr tokens.”
Ankr has also vowed to improve HR practices. It will require “escalated” background checks for all employees, including those working remotely, and it will review access rights to ensure only those employees can access sensitive data who need it. The company will also implement new notification systems to alert the team more quickly when something goes wrong.
The Ankr protocol hack was first discovered on December 1st. It allowed the attacker to mint 20 trillion Ankr Reward Bearing Stakes BNB (aBNBc), which was immediately traded on decentralized exchanges for around 5 million USD coin (USDC) and bridged to Ethereum. The team has stated that it plans to reissue its aBNBb and aBNBc tokens to users affected by the exploit and spend $5 million from its own treasury to ensure these new tokens are fully supported.
The developer has also committed $15 million to rebook the stablecoin HAY, which was undercollateralized due to the exploit.
