Ankr says ex-employee caused $5M exploit, vows to improve security

cointelegraph.com:

A $5 million hack of Ankr protocol on Dec. 1 was caused by a former team member, according to a Dec. 20 announcement from the Ankr team.

The ex-employee conducted a “supply chain attack” by putting malicious code into a package of future updates to the team’s internal software. Once this software was updated, the malicious code created a security vulnerability that allowed the attacker to steal the team’s deployer key from the company’s server.

After Action Report: Our Findings From the aBNBc Token ExploitWe just released a new blog post that goes in-depth about this: https://t.co/fyagjhODNGA pic.twitter.com/d6psUbpxNY

Previously, the team had announced that the exploit was caused by a stolen deployer key that had been used to upgrade the protocol’s smart contracts. But at the time, they had not explained how the deployer key had been stolen.

Ankr has alerted local authorities, and is attempting to have the attacker brought to justice. It is also attempting to shore up its security practices to protect access to its keys in the future.

Upgradeable contracts like those used in Ankr rely on the concept of an “owner account” that has sole authority to make upgrades, according to an OpenZeppelin tutorial on the subject. Because of the risk of theft, most developers transfer ownership of these contracts to a gnosis safe or other multisig account. The Ankr team says that it did not use a multisig account for ownership in the past but will do so from now on, stating:

Ankr has also vowed to improve HR practices. It will require “escalated” background checks for all employees, even ones who work remotely, and it will review access rights to make sure that sensitive data can only be accessed by workers who need it. The company will also