Unveiling the new BNBx Pool on Wombat
2 min read
The last few weeks have been a testing time for the BNBx+ Wombat community as an exploit on Ankr’s aBNBc token drained out the Wombat BNB pool. In this article we will review the security breach on aBNBc and put forth a plan to restart the BNBx liquidity on Wombat with a new BNBx:BNB pool.
aBNBc exploit summary
A former Ankr team member was able to gain access to the private key of the aBNBc smart contract and deploy a new contract, giving them the ability to mint aBNBc token without the need to deposit BNB. They then used the newly minted aBNBc to drain pools across DEXs, one such pool was the Wombat BNB pool shared across - BNB, stkBNB, BNBx and aBNBc.
More information about the exploit can be found here https://www.ankr.com/blog/after-action-report-our-findings-from-abnbc-token-exploit/
Why could this not happen on BNBx ?
At BNBx we have always had multi-sig accounts controlling the contract admin, so even if one private key is compromised the contract is unaffected. Moreover, our current 3 out of 5 multi-sig has 3 external signatories, ensuring that control over the contract changes does not reside with the Stader team.
Additionally, our on-chain alerts developed with Forta give us real time detection of unauthorised minting or unforeseen changes in exchange rate, this can potentially help us act faster and work with DEX partners to disable pools quicker.
As an additional feature , Stader had implemented a 24hr time lock for any changes to the BNBx contract , ensuring sufficient time for the community to react.
Stader in conjunction with Wombat is set to relaunch liquidity for BNBx through a BNBx:BNB pool hosted on Wombat. The inherent low slippage of the Wombat stableswap pools represent a fundamental advantage for hosting liquidity for pegged pairs (like BNBx:BNB) . With additional security measures taken by both Stader (described above) and Wombat (https://docs.wombat.exchange/docs/concepts/fees/coverage-ratio-fee) we believe that this new pool will be more secure than ever.
The pool will restart on the 20th of Jan, with users being able to deposit BNB or BNBx or both on Wombat.