Blockchain Bites: BNB Chain suffers USD$570M exploit, EU extends Russian crypto sanctions, Coinbase secures Singapore licence approval.

Binance suspends BNB Chain after USD$570M exploit 

Binance, one of the world’s leading crypto-asset exchanges, paused their BNB chain after the largest exploit of the BNB chain to date, with between USD$100M and 110M of value extracted but no user tokens impacted (other than a suspension of withdrawing tokens from the ecosystem) after attackers created USD$570M in new BNB Tokens.

BNB chain is managed by Binance and offered as an ecosystem for launching decentralised applications (DApps) and has been highly active in crypto, with average daily transactions of 2.78M.

The exploit did not impact user tokens, but rather involved the attackers fabricating a long ago block in the chain with two requests resulting in 1M BNB Tokens being created under each request. Binance moved swiftly and managed to free USD$7M of the tokens before they could be used. Stablecoin Tether also reportedly blacklisted the attacker’s address, preventing the created BNB from entering the Tether ecosystem. and when the chain was paused only USD$100M – USD$110M of BNB Tokens had been moved off-chain. Founder of Binance, CZ said:

An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe.

The attackers had already borrowed stablecoins against the newly-created BNB and transferred those stablecoin into other tokens. Twitter user @Samczsun gave a good breakdown of how the exploit may have occurred and summarised:

… there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. Fortunately, the attacker here only forged two messages, but the damage could have been far worse

The BNB Chain restored service on Saturday and Binance thanked the community for their patience and support. The ability to suspend / pause a blockchain like BNB Chain of course raises issues around just how decentralised and unstoppable a blockchain is, if it can be paused, but when an exploit like this occurs, the benefits of some kind of centralisation / emergency override are highlighted.

EU extends Russian sanctions on crypto wallets and custody

Last week, the European Union issued a new wave of sanctions against Russia extending its prohibition on providing crypto wallet, account or custody services to Russians. The sanctions are a response to Russia’s continuing military campaign against Ukraine and the Government’s annexation of four Ukrainian regions.

Previously, the EU imposed a prohibition on providing crypto-asset wallet, account or custody services to Russian nationals or natural persons residing in Russia, or legal persons, entities or bodies established in Russia, if the total value of crypto-assets exceeds €10,000. The enhanced prohibition abandons the €10,000 threshold and expands the ban to all crypto-asset wallet, account and custody services.

The new restrictions do not distinguish between custodial and non-custodial wallet facilities and amount to an outright ban on providing crypto wallet and custody facilities in Russia and to Russian persons or entities. It is likely that wallet providers who are subject to EU sanctions will be required to geo-block Russia entirely as a consequence of the ban.

The sanctions package extends the geographical scope of the EU’s trade sanctions with the occupied Ukrainian regions to Kherson and Zaporizhzhia. The package also includes additional restrictions on imports and exports of certain goods and technologies.

The United Kingdom has announced that it will also introduce further sanctions on Russia. The new UK restrictions include similar measures to the EU package but have not been published in full yet.

The United States has also announced new sanctions in response to Russia’s annexation of the four Ukrainian regions. The latest package includes the designation of a large number of additional Russian entities and individuals as sanctioned persons and stepped up sanctions enforcement against those who provide material support to sanctioned Russian entities or individuals or sanctionable activity relating to Russia’s military campaign and occupation of Ukraine.

Coinbase wins Singapore licence approval

Coinbase, the largest crypto exchange in the United States, announced on Monday that it has received in-principal approval for a Major Payments Institution licence from the Monetary Authority of Singapore (MAS). This approval will enable Coinbase to offer regulated Digital Payment Token (DPT) products and services in the city-state, subject to ongoing discussion and ratification by MAS.

About 180 crypto firms have applied to MAS for a licence to conduct DPT services. Coinbase joins a list of only 18 entities that have received in-principal approval, including Crypto.com. So far, the MAS has only formally granted 7 licenses, including to the Singaporean arm of Australian exchange, Independent Reserve, which together with an affiliate of the Singaporean bank, DBS, was among the first two recipients.

Some commentators have complained that Singapore’s licensing process is too time consuming and burdensome and criticized the MAS’s apparent mixed messages on digital assets. Last year, Binance pulled out of Singapore after withdrawing its application for a DPT licence and subsequently shut down its local .SG trading portal.

It appears that Singapore intends to take a measured approach to regulation which supports tokenisation and the growth of the digital assets industry, while addressing potential consumer harms. In August, the managing director of MAS said that the agency was considering “further measures to reduce consumer harm”, including introducing suitability tests for customers, restrictions on the use of leverage and lending facilities, and addressing market manipulation.

The MAS’s attempt to curb crypto speculation has not deterred exchanges like Coinbase which continue to view Singapore as a regional or even global hub. Coinbase said in its announcement that:

Singapore plays a critical regulatory and commercial role in APAC and beyond, and serves as our global talent hub; we are excited to continue investing and building for the crypto economy here.

Coinbase currently has around 100 employees in Singapore. Yesterday, Blockchain.com announced that it had become the 18th firm to win in-principle approval from the MAS for a DPT licence.

We anticipate that the global race by cryptocurrency firms to seek and win licence approvals in a wide range of jurisdictions will continue in the months and years ahead as more jurisdictions consider implementing bespoke licensing regimes regulating cryptocurrency exchanges.