The Ankr protocol experienced a security breach on December 1, 2020, when a former team member conducted a supply chain attack. This attack involved the malicious insertion of code into a package of future updates to the team’s internal software, which created a security vulnerability allowing the attacker to steal the team’s deployer key from the company’s server. The exploit was caused by a stolen deployer key that was used to upgrade the protocol’s smart contracts. Initially, the Ankr team was unable to explain how the deployer key had been stolen, but with the December 20th announcement, they were able to provide more detail on the incident.
The team has alerted local authorities and is attempting to have the attacker brought to justice. The Ankr team is also working to strengthen their security practices to protect access to their keys in the future. They plan to use a multisig account for ownership of their contracts going forward, as this provides an extra layer of security. In addition, the Ankr team is working to develop better systems for detecting malicious code and other security threats. They are also working with their incident response teams to ensure that they are prepared to respond quickly and effectively to any future incidents.
This will make sure that the HAY stablecoin is still backed one-to-one by USDC.
The exploit was possible because of a single point of failure in the developer key. To prevent this from happening in the future, Ankr plans to implement multi-sig authentication for updates that will require signoff from all key custodians during time-restricted intervals. This will make it extremely difficult, if not impossible, for a similar attack to occur in the future.
The company will also improve its human resource practices. All employees, even those who work remotely, will be subjected to “escalated” background checks. Access rights will also be reviewed to make sure that only those who need access to sensitive data can access it. A new notification system has also been implemented to alert the team quickly when something goes wrong.
Overall, Ankr has taken decisive action to ensure the security of the new ankrBNB contract and all Ankr tokens. The implementation of multi-sig authentication and an improved human resource practices will help to make sure that the protocol is secure and that future exploits are prevented. The company is also taking steps to make sure that those who were affected by the exploit are taken care of
