Ankr, a cryptocurrency business, claims a former worker was responsible for the $5 million hack on its platform earlier this month.
On December 2, a hacker took use of a smart contract for the aBNBc token, one of Ankr’s staking rewards tokens. They had exploited a flaw in its programming that allowed for the cryptocurrency to be issued indefinitely on the BNB Chain, which bears the Binance logo.
In a blog post on Tuesday, the decentralized financial protocol claimed that a former staff member was responsible for the hack. The person was not mentioned or named.
“A former team member (who is no longer with Ankr) acted maliciously to conduct a supply chain attack, inserting a malicious code package that was able to compromise our private key once a legitimate update was made.”
After on-chain investigators connected similar transactions to an Ankr deployer, crypto intelligence company Arkham had previously raised the prospect of an inside job.
“Unfortunately, internal bad actors can affect any protocol, and we are working on shoring up internal HR processes and safety measures to strengthen our security posture going forward,” added Ankr.
In order to possibly prosecute the former team member, the team is now cooperating with law police.
Ankr previously claimed that by uploading a new contract that permitted minting without authorization checks, the attacker “minted an excess of aBNBc out of thin air.” They then went ahead and exchanged it for other tokens on decentralized exchanges.
Over the course of six transactions, the attacker made 60 trillion aBNBc total. Before connecting the stablecoins to Ethereum and washing them through Tornado Cash, they exchanged some for USDC.
A second flaw was discovered shortly after the Ankr breach on the staking platform Helio, which had not changed the pricing of tokens associated with Ankr despite the token aBNBc falling by more than 99%, from $303 to $1.54.
Due to this, one user was able to borrow $16 million worth of HAY, the company’s native stablecoin, using the affected Ankr tokens as security. According to blockchain research company BlockSec, they then exchanged those funds for $15 million in BinanceUSD (BUSD) before shipping the loot to Binance.
Later, Ankr implemented a recovery strategy for the community that included paying out compensation to its lenders, liquidity providers, and other users who were impacted by the scam.
The team also contributed to the stabilization of HAY when the stablecoin depegged; however, the token has not yet fully regained its original value and is now trading at just over $0.99.
Ankr expects that multi-sig authentication for updates would ensure that further assaults are prevented. The team is also revising access privileges and doing background checks on personnel.