Date: 7th October 2022
Time: 5:13am SGT
What another interesting morning in the world of crypto. For some reason these 9 fig hacks happen at around 5am Singapore time on weekdays.
I saw this tweet by @MevRefund pop up on my TweetDeck and immediately went to check out the transaction history of this BSC address.
I spent some time digging through the transactions and finding the source of funds. It was pretty quick to find out that this address had gotten 2 MILLION BNB TOKENS from the BNB bridge as it was minted a few hours ago.
This was weird because there are only a few people in the world who have 2 MILLION BNB tokens worth almost $600 million dollars. While I was thinking about what to do, Hsaka decided to retweet the @MevRefund Tweet.
You can literally see on the BNB chart where Hsaka decided to retweet the tweet.
At this point, I was panicking and trying to determine if the $600m that was minted was a legitimate transfer from the BNB chain to the BSC chain or if it was a bridge exploit that just minted tokens out of no where.
I used Debank to see what the exploiter was doing with his money to see if I can get any clues from there. For example, an obvious first step that most bridge exploiters would do is to bridge their money out to Ethereum from whatever chain they are on and then start depositing into Tornado Cash.
Obviously someone who has already committed the act of "stealing" or "exploiting" hundreds of millions of dollars would not care about OFAC.
However this guy was depositing the BNB on BSC chain to Venus, the biggest money market Defi protocol on BSC, and then borrowing out stablecoins such as USDC, USDT and BUSD. This made sense as it would easier to source liquidity without causing a big fuss.
The exploiter lent out $250m worth of BNB and borrowed out $150m worth of stablecoins. If he had instead sold $150m worth of BNB on BSC DEXes, it would have crashed the price 66% on chain and brought a lot of attention. Not to mention the fact that he would have only gotten a third of what he could have gotten using a money market protocol.
So that was expected but then he bridged out 50m to the Fantom network and that was 10% of the network's TVL.
Do note that we are in the stage of the bear market where $500m would put you in the top 10 chains. That's kind of insane.
From here on, the exploiter's decisions seem weird. He bridges a couple million worth to Avalanche, Polygon, Arbitrium, Optimism and Ethereum.
This seemed weird to me until I realised how little on chain liquidity there was. On chain liquidity is ABYSMAL.
Turns out it's really really hard to bridge out hundreds of millions of dollars to ETH. I'm sure there's a way and a process to maximise the bridges but it will probably take a really long time to figure out how to maximse the number of tokens that get sent to ETH and then swapped out for ETH and Tornado cashed.
The exploiter's performance was almost as bad as the on chain liquidity. He had a FEW HOURS before Binance decided to halt the chain.
He should have had a full plan before exploiting $600m and fumbling an insane heist.
Anyways back to the charts. At this point, there was a pretty easy trade to take. Short and wait for CZ or Binance or @samczsun to say something.
Price had already dropped by 1.3% after the Hsaka tweet and it then stalled for 20 minutes as everyone was trying to figure out what was going on.
At this point, I decided that monitoring the situation wasn't going to be worth it as it will be too volatile and decided to focus on getting ready for school.
Anyways, watching the Exploiter try to get the 2 Million $BNB out live on BSCScan was embarrassing. Imagine exploiting $600m and not having a fully planned exit plan to get funds into ETH on Ethereum.
Should have thought about that before minting hundreds of millions of dollars and bringing so much attention to yourself. Could have probably bought some time if it was only done with $10 million and efficiently bridged over 10+ times.