The crypto world reeled in 2022 as hackers stole $586 million from Binance’s BNB Chain, exploiting a bridge vulnerability. The breach ranked as the third-largest crypto heist, which triggered an eight-hour network freeze, leaving users locked out and questioning the chain’s “decentralised” claims. Here’s how chaos unfolded.
How A Flaw in the System led to Bridge Exploit
On October 6, attackers manipulated the BSC Token Hub, a bridge linking Binance’s legacy chains, to mint 2 million BNB tokens. By forging deposit proofs from a 2020 block, they tricked the system into sending two batches of 1 million BNB each to their wallet. Blockchain expert Samczsun later revealed a critical bug in the bridge’s verification process, which could have enabled far greater damage.
“The attacker exploited vulnerable IAVL proof checks,” he noted, emphasising the narrow scope of the breach. Binance’s delayed response allowed the hacker to slip $127 million off-chain before freezing the remaining funds.
How the Hacker Fled?
Rather than dumping stolen BNB immediately, the hacker deposited 900,000 tokens into Venus Protocol, borrowing $147 million in stablecoins. This move initially masked the theft as routine whale activity. But as Tether blacklisted addresses and liquidity vanished, panic set in.
The attacker then bridged funds to Ethereum, Fantom, Avalanche, and Polygon, converting assets swiftly. Blockchain analytics firm SlowMist tracked the stolen crypto across chains, revealing $6.5 million in frozen USDT. Yet, 70% of the loot remained trapped on BNB Chain after validators halted the network.
Chain Freeze Fallout
Binance paused its chain for eight hours, citing “irregular activity.” While this stopped the hacker, it also frozen millions of legitimate transactions. Traders faced liquidations, emergency withdrawals stalled, and trust eroded.
Critics slammed the move as hypocritical. “Decentralised chains aren’t designed to be stopped,” Binance later claimed. Yet, its 26 validators executed the freeze effortlessly, spotlighting the chain’s centralised control. “Was BNB ever truly decentralised?” skeptics asked.
Who Really Controls BNB Chain?
The pause reignited debates about BNB Chain’s structure. With only 26 validators, many tied to Binance which has led to the network’s decentralisation claims to crumble. “Increasing community validators” post-hack rings hollow, critics argue, calling it damage control.
CEO Changpeng Zhao (CZ) further muddied waters, tweeting, “I’m less involved in BNB Chain than Vitalik is with Ethereum.” His attempt to distance Binance from the chain’s operations raised eyebrows, especially after a 2019 video resurfaced where he discussed reversing Bitcoin transactions.
Bounties and Blame Shifting
Facing backlash, Binance proposed governance votes to freeze or burn stolen funds and launched a $1 million bug bounty program. CZ downplayed losses, calling the $100 million impact “a quarter of our last BNB burn.”
Yet, the response felt lacking. While Venus Protocol clarified it wasn’t hacked, users endured spiked borrowing rates. Meanwhile, CZ’s deleted tweet, “It’s not about cash flow; it’s crypto flow,” during the attack on Binance Cz drew criticism for its tone-deaf timing.
What Comes Next?
The hack’s aftermath poses tough questions. If Binance can pause chains, why not prevent past hacks? Regulators now scrutinise its control over BNB Chain, potentially reshaping DeFi oversight.
Moreover, the pause sets a risky precedent. Imagine halted chains during mass crypto adoption blocking urgent medical payments or salaries. “Immutability isn’t sacred,” CZ once mused. But after this breach, BNB Chain’s credibility hangs by a thread.
Another Bridge, Another Breach
While Binance minimises fallout, the hack has shown systemic risks in cross-chain bridges and “decentralised” networks under corporate control. For now, the BNB exploit joins the grim leaderboard of crypto heists as a reminder that in DeFi, security and true decentralisation remain works in progress.
Written By Fazal Ul Vahab C H
