BNB Chain Token Hub bridge exploit
An attacker forged IAVL proofs to mint $570M in BNB; validators paused the entire blockchain to freeze most of it, limiting unrecovered losses to approximately $100M.
- Target
- BNB Chain Token Hub bridge exploit
- Date public
- 6 October 2022
- Sector
- Crypto
- Attack type
- Vulnerability Exploit
- Threat actor
- Unattributed
- Severity
- High
- Region
- Global — BNB Smart Chain
BNB Chain is the blockchain network run by the cryptocurrency exchange Binance. In October 2022 an attacker found a critical flaw in the "bridge" that connects two parts of the BNB network — the original BNB Beacon Chain and BNB Smart Chain. The bridge was supposed to verify cryptographic proofs before releasing funds. The attacker forged those proofs. By forging the proofs, the attacker convinced the bridge contracts that they had deposited two million BNB tokens — worth roughly $570 million at the time — and instructed the contracts to create (mint) that amount on BNB Smart Chain. They hadn't deposited anything. They'd simply created $570 million out of a software flaw. What happened next was unprecedented: BNB Chain's validators — the small group of entities that operate the network — coordinated via an emergency call to pause the entire blockchain. This is something a decentralised public blockchain is theoretically not supposed to be able to do. The pause froze the minted tokens in place. The attacker had moved about $100 million off-chain before the pause took effect; that amount was not recovered. The remaining $470 million was frozen and effectively destroyed. The episode sparked intense debate about whether the ability to pause a blockchain is a feature or a fundamental betrayal of its premise.
What happened
On 6 October 2022 an attacker exploited a critical vulnerability in the Token Hub bridge that connects BNB Beacon Chain to BNB Smart Chain, the two components of the BNB Chain network operated by Binance. The attacker forged cryptographic proofs of deposit to instruct the bridge contracts to mint two million BNB tokens — approximately $570 million at prevailing prices — directly to an address they controlled on BNB Smart Chain.
BNB Chain validators, contacted via an emergency coordination channel, made the decision to pause the entire BNB Smart Chain within approximately one hour of the exploit being detected. The pause was a discretionary decision by the network’s validator set — a group of 21 primary validators and 44 validators in total. By the time the pause took effect, the attacker had successfully bridged approximately $100–110 million off-chain to other networks and exchanges. The remaining approximately $470 million in minted BNB tokens remained on the paused chain, were subsequently frozen, and were effectively destroyed — the BNB supply was adjusted to account for the illegitimately minted tokens.
The net unrecovered loss was approximately $100 million. BNB Chain upgraded the bridge contracts after the pause and reopened the chain with enhanced proof verification. The episode is notable both for the technical vulnerability — a fundamental flaw in the bridge’s proof verification logic — and for the operational response, which raised fundamental questions about whether BNB Chain’s capacity to pause itself is a feature or a flaw.
How it worked
The Token Hub bridge between BNB Beacon Chain and BNB Smart Chain used IAVL (Immutable AVL) proof verification — a cryptographic method for proving that a particular leaf node exists in a Merkle tree, which is the data structure used to record transactions on a blockchain. The bridge contracts verified these proofs before minting BNB on the Smart Chain side: the proofs were supposed to demonstrate that the equivalent BNB had been deposited and locked on the Beacon Chain.
The vulnerability was in the bridge’s implementation of IAVL proof verification. The contracts did not adequately validate that the proof data presented to them was consistent with a legitimately-constructed tree. Specifically, the verification logic contained a flaw in how it handled particular proof node structures, allowing an attacker to craft a proof that would be accepted as valid by the bridge contracts even though no corresponding deposit had been made on the Beacon Chain.
The attacker constructed two forged proofs — each minting one million BNB — and submitted them to the bridge in two separate transactions, receiving two million BNB on BNB Smart Chain with no actual deposit. The constructed proofs were sophisticated: the flaw in the IAVL verification logic was not obvious and required detailed knowledge of both the bridge implementation and the IAVL specification. The exploit is classified as a bridge-verification vulnerability, in the same category as the Ronin Network and Wormhole bridge exploits that preceded it.
Once the two million BNB was minted, the attacker began using DeFi protocols on BNB Smart Chain to convert BNB into stablecoins and bridge them to other networks — specifically Ethereum, where the tokens could be mixed and moved more easily. The speed of the validator response limited the amount that cleared before the chain pause.
Timeline
- 6 October 2022, ~14:30 UTC — Attacker submits first forged IAVL proof to Token Hub bridge; 1 million BNB minted.
- 6 October 2022 — Attacker submits second forged proof; second 1 million BNB minted. Total: 2 million BNB (~$570M) created from nothing.
- 6 October 2022 — Attacker begins bridging minted BNB to other chains via Stargate and other bridges; approximately $100–110M moved off-chain.
- 6 October 2022, ~15:40 UTC — BNB Chain detects the exploit; validators coordinate to pause BNB Smart Chain.
- 6 October 2022 — Chain pause takes effect; ~$470M in minted BNB frozen on chain.
- October 2022 — BNB Chain deploys patch to bridge contracts addressing the IAVL verification flaw; chain resumes operation.
- Post-October 2022 — BNB supply adjusted to account for destroyed illegitimately minted tokens; validators implement on-chain governance changes to formalise the emergency pause capability.
What defenders should learn
The BNB Chain bridge exploit is one of a cluster of major bridge hacks — Ronin ($625M, March 2022), Wormhole ($320M, February 2022), Nomad ($190M, August 2022) — that made 2022 the worst year in DeFi bridge security history. The technical lesson is common to all of them: bridges are the most complex and highest-value components in cross-chain DeFi infrastructure, and their proof-verification logic must be formally verified, not just audited.
Bridge verification logic — Merkle proofs, IAVL proofs, light client proofs — is the mathematical foundation on which all bridge security rests. An error in proof verification is not like an error in a token contract or a governance mechanism; it is an error in the fundamental assumption that the bridge’s operations are grounded in reality. The IAVL verification flaw in Token Hub meant that the bridge’s “proof” that a deposit had occurred was not a proof at all. Formal verification of bridge proof logic — mechanically verifying that the verification function accepts proofs if and only if they correspond to real deposited assets — is the only method that provides reliable assurance about this property. Pre-deployment audits, however thorough, are insufficient for logic of this complexity.
The validator pause decision is the most debated element of the BNB Chain response. A blockchain that can be paused by 21 validators is, in a meaningful sense, not a permissionless decentralised network during the pause. The validators’ action was operationally rational — it saved $470M in losses — but it demonstrated that the network’s “decentralisation” is conditional on no emergency requiring central decision. The debate this triggered within the Ethereum and broader crypto community about what “decentralisation” means in practice for permissioned-validator chains is substantive and unresolved. For users choosing blockchain platforms, the BNB Chain incident is the clearest example of the trade-off: less-decentralised consensus can respond faster to crises but cannot offer the unconditional censorship-resistance that a truly permissionless network provides.