Ankr hack review by SmartState team
Ankr, a Web3 infrastructure provider, was hacked on December 1st. The loss amounted to approximately $5.5M. Seems the attacker somehow gained access to Ankr's deployer private key.
Shortly before the hack, Ankr had performed project updates. The private key could have been compromised during those updates, or the attacker could have gotten access to the key earlier and just used that moment to execute the attack.
Source: link
The malicious user took advantage of the fact that the admin could make changes to the aBNBc code at any time (aBNBc token is an upgradeable one). This way they were able to inject the malicious code and mint ten quadrillion aBNBc, which they dumped afterwards. The $aBNBc price has collapse close to zero value.
Source: link
We see here several ways how Ankr could protect their project:
- Multisignature contracts;
- Roles separation;
- Audit of the updates.
The right to modify the code could have been granted to a role other than the owner, making it harder to compromise the contract. The decision-making power over project finances and updates could be shared between several accounts via multisig contract, which would make the hack much more difficult for an attacker, since they would have to get access to more than one wallet. Additionally, Ankr could create a non-multisig account to stop unwanted transactions.
Also, of course, it is always worth requesting an audit of the updates. Once audited and then updated code can no longer be considered audited and safe. Auditing companies from their side usually provide beneficial terms for re-audits.
To conclude, managing the financial part from a regular wallet instead of a multisig is a bad practice in any case and should be avoided.
