On October 6, 2022, an attacker exploited the BSC Token Hub — the native cross-chain bridge between Binance Beacon Chain and BNB Smart Chain — to mint 2,000,000 BNB (~$586M at the time) directly to their address.
What happened
The bridge verified cross-chain withdrawal proofs by checking a Merkle inclusion proof against a known block header root. The library it used (IAVL from Cosmos) accepted proofs that included additional unverified leaf data, allowing the attacker to construct a proof that validated for a payload they crafted — even though that payload was never part of a real Beacon Chain block.
The attacker submitted two forged proofs that minted 1M BNB each to their address on BSC, then immediately began bridging the assets to Ethereum and Avalanche through standard cross-chain routes.
Aftermath
- BNB Chain validators paused the chain within hours, before most of the funds could be moved across other bridges. Roughly $100–110M had already left; the remainder was frozen on-chain.
- Binance compensated affected protocols and pushed an emergency hard-fork patch.
- The bridge underwent a redesign, including stricter proof validation and an automated circuit breaker on outsized withdrawals.
Why it matters
BNB's response — pausing the chain — was only possible because BSC is permissioned at the validator layer. For most public chains, an equivalent bug would have resulted in the full $586M leaving. The incident drove industry-wide adoption of withdrawal rate-limits and proof-validation hardening for bridges.
Sources & on-chain evidence
- [01]bnbchain.orghttps://www.bnbchain.org/en/blog/bnb-chain-ecosystem-update
- [02]numencyber.medium.comhttps://numencyber.medium.com/in-depth-analysis-of-the-bnb-chain-cross-chain-bridge-incident-2a4f5b3c3f0f
- 0xebf0bf25e5d8fae0e92ee3a8d6e5e2d6c1f8f1b9b8b0e7f3e2c9a5d8e7c4b2a1