Helio Exploit
How Helio Lost $15M Due To An Oracle Exploit
Last updated
How Helio Lost $15M Due To An Oracle Exploit
Last updated
Dec 2nd witnessed the exploit on the Ankr project, which led to a loss of $5 million, followed by an attack on Helio, resulting in the attacker gaining approximately $15.5 million. The Helio team acknowledged the ongoing exploit.
is a BNB-chain-based staking platform with $HAY as the protocol's native stablecoin, over collateralized by $BNB(contract source codes can be found ), whereas Ankr provides a full suite of developer tools to help build web3 apps(across 18+ chains, making it one of the most powerful multi-chain tool suite for web3). Read more about the Ankr protocol .
An oracle is a program that fetches data between off-chain sources and on-chain services. A smart contract can not access any data feed outside of the chain the contract is deployed to, and as a result, we need oracles to provide this type of data to contracts should it be necessary.
Due to this attack on Ankr, the price of aBNBc fell 99%( $0.02168), allowing the attacker to conduct the attack on helios.
The 183,000 $aBNBc were then used as collateral on the Helio Protocol to get 191,130 $hBNB tokens in return.
Helio states that they are working to resolve this situation and, meanwhile, has advised the users to avoid any transactions in HAY. The HAY pool currently holds around $19 million in locked funds.
After the attack on Helio, the price of the stablecoin $HAY de-pegged to a value of $0.21, and to re-peg this value of $HAY, Ankr decided to buy any extra $HAY that is produced as a result of the exploited $aBNBc and then send $HAY to a burn address.
The whole chain of attacks traces back to the attacker(s) gaining access to a private key used to govern contracts. Ankr used a single private key, whereas they should have used a multisig instead, e.g., a 3/5 multisig where even if one of the private keys gets compromised, the attacker must compromise two more keys to make the attack work. This was a classic case of lack of access management.
The attack started with a simple private key compromise, and as a result, ~$20 million was stolen by the attacker.
Oracle exploits continue to exist, and there is no 100% safeguard against these, although using decentralized oracle networks could be more resistant to this type of attack.
To understand the Helios hack, let's first take a look at what went wrong with Ankr, a "node as a service" platform. The $aBNBc token contract is an , i.e., with the correct permissions, the user can make the point to a new logic contract. The was able to compromise a private key that was used to govern contracts.
Using this key, the attacker could upgrade the contract to their malicious version and mint themselves 10 trillion $aBNBc($5 million); see the attacker's transaction . The attacker then used PancakeSwap to swap $aBNBc for $USDC and $BNB and then swapped them for $ETH.
Read the attack analysis .
After the attacker had successfully exploited the Ankr protocol, another attacker roughly around 183,000 $aBNBc using 10 $BNB from 1inch network.
Helio's price oracle was not updated during the attack on $aBNBc. Due to this, the attacker .
The attacker 15.5 million BUSD using the 16 million $HAY to finish the exploit.
The BUSDs were then transferred to the attacker's (0x4c7f5513894a99260bbfcf88311b544d6ca12757) involving 3 different transactions.
Helio's team that Ankr protocol and Helio were working together and had agreed that Ankr would pay for Helio's bad debt (due to the exploit).