The Ankr team has alerted relevant authorities and is seeking to prosecute the attacker while also shoring up its security practices.
A release from the Ankr team on December 20 stated that a former team member was responsible for a $5 million hack of the Ankr protocol on December 1. By incorporating harmful malware into a package of upcoming updates to the team’s internal software, the ex-employee carried out a “supply chain attack.”
As soon as this software was updated, the malicious code produced a security flaw that gave the attacker access to the company server and the deployer key for the team.
The attack, according to a previous statement from the company, was brought on by a stolen deployer key that was used to update the protocol’s smart contracts.
However, they did not reveal how the deployer key was taken at the time. Ankr has notified the appropriate authorities and is working to have the assailant prosecuted. To safeguard future access to its keys, it is also making an effort to strengthen its security procedures.
According to an OpenZeppelin tutorial on the topic, upgradeable contracts, like those used in Ankr, rely on the idea of a “owner account” with exclusive authority to make updates.
Most developers transfer ownership of these contracts to a gnosis safe or another multisig account to reduce the risk of theft. The Ankr team claims that while it did not previously use a multisig account for ownership, it will do so going forward.
“The exploit was possible partly because there was a single point of failure in our developer key. We will now implement multi-sig authentication for updates that will require signoff from all key custodians during time-restricted intervals, making a future attack of this type extremely difficult if not impossible. These features will improve security for the new ankrBNB contract and all Ankr tokens.”
Additionally, Ankr has committed to enhance HR procedures. All employees, even those who work remotely, will be subject to “escalated” background checks, and access privileges will be reviewed to ensure that only those employees who need access to critical information may do so.
New notification systems will be put in place by the business as well to notify the staff more promptly when something goes wrong. On December 1, the Ankr protocol hack was initially identified.
The attacker was able to create 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), which were quickly exchanged for $5 million in USD Coin (USDC $1.00) on decentralized exchanges and connected with Ethereum.
According to the company, it intends to reissue its aBNBb and aBNBc tokens to users who were impacted by the vulnerability and to invest $5 million from its own treasury to assure that these new tokens are properly backed. Additionally, the developer invested $15 million to repeg the HAY stablecoin, which was improperly collateralized as a result of the attack.