Ankr hack review by SmartState team
Ankr, a Web3 infrastructure provider, was recently hacked. The loss amounted to approximately $5.5M. Seems the attacker somehow gained access to Ankr’s deployer private key.
Shortly before the hack, Ankr had performed project updates. The private key could have been compromised during those updates, or the attacker could have gotten access to the key earlier and just used that moment to execute the attack.
Source: link
The malicious user took advantage of the fact that the admin could make changes to the aBNBc code at any time (aBNBc token is an upgradeable one). This way they were able to inject the malicious code and mint ten quadrillion aBNBc, which they dumped afterwards. The $aBNBc price has collapse close to zero value.
Source: link
We see here several ways how Ankr could protect their project:
- Multisignature contracts;
- Roles separation;
- Audit of the updates.
The right to modify the code could have been granted to a role other than the owner, making it harder to compromise the contract. The decision-making power over project finances and updates could be shared between several accounts via multisig contract, which would make the hack much more difficult for an attacker, since they would have to get access to more than one wallet. Additionally, Ankr could create a non-multisig account to stop unwanted transactions.
Also, of course, it is always worth requesting an audit of the updates. Once audited and then updated code can no longer be considered audited and safe. Auditing companies from their side usually provide beneficial terms for re-audits.
To conclude, managing the financial part from a regular wallet instead of a multisig is a bad practice in any case and should be avoided.
About SmartState
Launched in 2019 and based in Dubai, SmartState is one of the leading DeFi security auditing firms. We conduct security tests and check the code core, smart contracts and blockchain for all types of errors, vulnerabilities and other issues.
Although SmartState gave a start to operations with smart contract auditing of DLT-projects, from the very beginning, we made our services surpass the classic purview of smart contract audit and security testing. We specialize in manual testing, so the SmartState’s tech team of white-hat security professionals measure up a project’s git and offer guidelines and recommendations for its further advancement. Security audit reports review the threats and vulnerabilities with which codebases may be exploited in the future, as the network achieves scalability and expands to accommodate more use cases and functionality.
Stay tuned and find more about us and what we provide on our:
