Ankr / Helio Infinite Mint Cascade

On December 1, 2022, an attacker compromised a developer key at Ankr, used it to upgrade the aBNBc liquid-staking token contract, and minted 60 trillion (some sources say 6 quadrillion) aBNBc from thin air. The minted aBNBc was worthless on its own — but it caused a secondary loss at Helio Protocol, which accepted aBNBc as collateral and lent out $15-16 million of HAY stablecoin against the absurdly inflated supply before the oracle caught up. Binance froze approximately $3M in laundering paths.

What happened

Step 1 — Ankr key compromise

Ankr's aBNBc token contract was upgradeable. The upgrade authority was held by a developer's private key that the attacker compromised through standard endpoint-level techniques (the specific vector was never publicly detailed). With upgrade authority, the attacker:

1. Pushed a malicious implementation of the aBNBc contract.
2. Used the new implementation's minting function to create 60 trillion aBNBc.
3. The aBNBc market collapsed instantly — but the attacker's plan didn't depend on aBNBc holding value. They depended on a second, downstream protocol that consumed aBNBc as input.

Step 2 — Helio Protocol downstream exploit

Helio was a stablecoin protocol on BNB Chain that accepted aBNBc as collateral to mint HAY, a soft-pegged stablecoin. Helio's price oracle for aBNBc had a delay — it did not update instantly when aBNBc's market price crashed.

The attacker (or a parallel actor; either same operator or fast-acting opportunist):

1. Deposited the worthless aBNBc into Helio as collateral, while the oracle still reported its pre-attack price.
2. Borrowed ~$16M in HAY against the inflated nominal collateral value.
3. Swapped the HAY for BUSD (~$15M) on Pancake DEXs before the oracle update or governance pause caught up.

Aftermath

• Ankr paused the aBNBc contract and pushed a recovery upgrade that voided the malicious mint.
• Helio absorbed the HAY loss; the HAY stablecoin's peg was repaired by Ankr-led treasury support.
• Binance froze approximately $3M of stolen funds that moved through Binance addresses during laundering.
• Combined publicly-reported loss across Ankr + Helio: approximately $20-24M after recovery efforts.

Why it matters

The Ankr/Helio cascade is the textbook case for how a single private-key compromise can cascade across DeFi composability. The attacker's primary mint at Ankr produced worthless tokens — but those tokens were inputs to Helio's stablecoin protocol, where the lending logic treated them as valuable until the oracle caught up. The total loss was the combined drain across both protocols.

The structural lesson is twofold:

1. Upgrade authority over a token contract is upgrade authority over every protocol that consumes that token. Lending protocols, stablecoin issuers, and yield aggregators downstream of an upgradeable token inherit its upgrade-key risk.
2. Oracle delays during incident windows are themselves attack surface. Any system that consumes an oracle whose update cadence is slower than transaction execution time can be drained by an attacker who knows the update is coming.

Modern liquid-staking protocols largely operate with renounced or timelocked admin keys specifically because of the Ankr pattern. Modern stablecoin protocols largely use emergency oracle-pause mechanisms for the same reason.