Binance hack underscores how cross-chain bridges are a weak point in blockchain security

Binance, the world’s largest cryptocurrency exchange, has been hacked in the latest in a string of crypto-world hit jobs that have seemed to swell in size and frequency.

On Thursday evening, BNB Chain—the blockchain that forms the architecture for Binance’s trading platform and its own crypto token, BNB (formerly Binance Coin)—shared in a tweet that it had frozen operations on its blockchain in response to “irregular activity” that suggested a “potential exploit.” Binance’s chief executive, Changpeng Zhao, said the systems had been contained and the blockchain has since thawed its gears, while an investigation is underway.

By Friday morning, the company confirmed that the hacker had fingerprints on roughly $570 million in crypto tokens. However, according to blockchain analytics firm Elliptic, the hacker was only able to make off with about $100 million from the exchange due to swift action from the Binance team. The hacker minted 2 million new BNB coins, converting most of the funds into other tokens—such as Tether and USD Coin—and was trying to withdraw them from the exchange before Binance’s blockchain halted its gears and cut the transaction short.

Zhao, who said he was asleep at the time, credited the team for locking down operations. The system flows through a network of 26 so-called validators, scattered across time zones, who approve all blockchain transactions. According to a blog post from Binance, the company had to contact all of them one by one to halt the blockchain.

The attack targeted Binance’s cross-chain bridge, BSC Token Hub, which handles the conversion of assets from one cryptocurrency token to another. Such bridges, which are critical for crypto to achieve viability as a usable monetary system, have emerged as a weak point in blockchain security, with many hacks taking aim at their infrastructure. In March, a record $625 million was stolen from popular video game Axie Infinity‘s Ronin bridge, which came just a month after a $325 million heist from a major DeFi hub, the Wormhole bridge. Before that, in August 2021, a $611 million theft took place on the Poly Network, a cross-chain protocol.

User funds seem not to be affected by this latest hack, and for Binance—which generated at least $20 billion in revenue last year—the loss of $100 million might be trifling. But the fact that hackers have been able to breach giants of cryptocurrency—again and again—could, hopefully, send alarm bells up the ladder and across the industry. According to Chainalysis, another blockchain analytics firm, $1.4 billion has been swiped from cross-chain bridges this year.