Ankr confirms exploit, asks for immediate trading halt
Decentralized Finance (DeFi) protocol Ankr has been hit with an exploit targeting its aBNBc token, with millions estimated to have been stolen already.

BNB Chain-based decentralized finance (DeFi) protocol Ankr has confirmed it has been hit by a multi-million dollar exploit on Dec. 1.

The attack appeared to be first discovered by on-chain security analyst PeckShield at approximately 12:35 am UTC on Dec. 2.

Within an hour of the attack, Ankr confirmed on Twitter that the aBNB token has been exploited and that they’re working with exchanges to immediately halt trading of the compromised token.

The attacker was purportedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), a reward-bearing token for BNB staked on the protocol.

According to a Twitter post from on-chain analysis firm Lookonchain, the exploiter has since used services such as Uniswap, Tornado Cash, and various bridges to swap and obfuscate the funds in order to gain around $5 million worth of USD Coin.

It also added in a following post that “all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”

In comments to Cointelegraph about the attack, blockchain security firm Beosin suggested the exploit was likely the result of vulnerabilities in the smart contract code combined with compromised private keys, which may have come from a technical upgrade by the Ankr team about 12 hours ago.

Beosin also noted that the mass minting episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap.

“It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” a Beosin spokesperson told Cointelegraph.

In a Dec. 2 Twitter post, crypto exchange Binance confirmed its team is engaged with relevant parties to investigate the matter further, adding that Binance's user funds are not at risk. The BNB Chain Twitter page also stated that the exploiter's wallet address has been blacklisted.

Cointelegraph contacted Ankr when the exploit was first discovered but did not receive an immediate response.

_____

New York proposes to charge crypto companies for regulating them
DFS Superintendent Adrienne Harris noted that the proposed regulations will also allow the agency to “continue adding top talent to its virtual currency regulatory team.”

The New York State Department of Financial Services (DFS) has submitted a proposed change in state laws that would allow it to charge licensed crypto companies for regulating them.

While that may seem like an odd proposition, under Financial Services Law (FSL) it is common practice for the DFS to charge licensed non-crypto financial entities for the cost and expenses of maintaining oversight over them.

The proposal is led by DFS Superintendent Adrienne Harris, who announced the move via the DFS website on Dec. 1 and has submitted it for public feedback over the following 10 days.

Essentially, Harris is looking to bring virtual currency businesses in line with other regulated financial entities in the state, as FSL did not have a provision for crypto companies when crypto regulation was adopted in New York in 2015.

Harris also outlines that these “regulations will allow the Department to continue adding top talent to its virtual currency regulatory team.”

“Through licensing, supervision and enforcement, we hold companies to the highest standards in the world,” Harris said, adding that “the ability to collect supervisory costs will help the Department continue protecting consumers and ensuring the safety and soundness of this industry.”

According to the proposal document, the DFS would charge firms based on the total operating expenses of overseeing licensees, and the “proportion deemed just and reasonable” for other operating and overhead expenses.

As such, there isn’t a set figure that all companies pay as their amount of oversight differs, however, the total amount owing would be broken down into five payment periods over the fiscal year.

With the crypto sector witnessing yet another multi-billion implosion, this time as the result of now-bankrupt FTX, Alameda Research and former golden boy Sam Bankman-Fried, it is unsurprising that regulators are scrambling to impose extra regulatory oversight.

In a U.S. Senate committee hearing on the FTX debacle on Dec. 1, Commodity Futures Trading Commission (CFTC) chair Rostin Behnam stated that while he feels his agency has the tools to oversee crypto, there are gaps in legislation that need filling.

“Without new authority for the CFTC, there will remain gaps in a federal regulatory framework, even if other regulators act within their existing authority,” he said.

_____

This AI chatbot is either an exploiter’s dream or their nightmare
An Artificial Intelligence (AI) chatbot by research company OpenAI has the ability to detect and provide solutions for smart contract vulnerabilities or even create smart contracts from scratch with a simple prompt.

The online crypto community has discovered a new Artificial Intelligence (AI)-powered chatbot that can either be used to warn developers of smart contracts vulnerabilities or teach hackers how to exploit them.

ChatGPT, a chatbot tool built by AI research company OpenAI, was released on Nov. 30 and was designed to interact “in a conversational way” with the ability to answer follow-up questions and even admit mistakes, according to the company.

However, some Twitter users have come to realize that the bot could potentially be used for both good and evil, as it can be prompted to reveal loopholes in smart contracts.

Stephen Tong, co-founder of smart contract auditing firm Zellic asked ChatGPT to help find an exploit, presenting a piece of smart contract code.

The bot responded by noting the contract had a reentrancy vulnerability where an exploiter could repeatedly withdraw the funds from the contract and provided an example of how to fix the issue.

This similar type of exploit was used in May by the attacker of the Decentralized finance (DeFi) platform Fei Protocol who made off with $80 million.

Others have shared results from the chatbot after prompting it with vulnerable smart contracts. Twitter user devtooligan shared a screenshot of ChatGPT, which provided the exact code needed to fix a Solidity smart contract vulnerability commenting “we're all gonna be out of a job.”

With the tool, Twitter users have already begun to jest they’re able to now start businesses for security auditing simply by using the bot to test for weaknesses in smart contracts.

Cointelegraph tested ChatGPT and found it can also create an example smart contract from a prompt using simple language, generating code that could apparently provide staking rewards for Ethereum-based nonfungible tokens (NFTs).

Despite the chatbot's ability to test smart contract functionality, it wasn’t solely designed for that purpose and many on Twitter have suggested some of the smart contracts it generates have issues.

The tool also might provide different responses depending on the way it’s prompted, so it isn't perfect.

OpenAI CEO Sam Altman tweeted that the tool was “an early demo” and is “very much a research release.”

He opined that “language interfaces are going to be a big deal” and tools such as ChatGPT will “soon” have the ability to answer questions and give advice with later iterations completing tasks or even discovering new knowledge.

_____

This Daily Dose was brought to you by Cointelegraph.

Share this post