BNB Chain Bridge

2022-10-06

Attacker executes two transactions of 1 million BNB each via a forged IAVL Merkle proof on the BSC Token Hub bridge, minting approximately 2 million BNB (~$566–570 million).

2022-10-06

BNB Chain contacts all 44 active validators and requests they suspend block production on BNB Smart Chain to prevent further fund movement.

2022-10-06

Binance CEO Changpeng Zhao publicly confirms the exploit on Twitter, states the issue is contained and user funds are safe.

2022-10-07

BNB Smart Chain resumes operations with a hotfix. Tether and Circle blacklist the attacker's addresses, freezing $33.5 million combined in USDT and USDC.

2022-10-07

Post-incident analysis confirms approximately $137 million was moved to other chains before the halt, with roughly $430 million remaining frozen on BSC.

2022-10-11

BNB Chain announces a scheduled hard fork for October 12 to permanently patch the cross-chain bridge vulnerability.

2022-10-12

BNB Chain hard fork (client v1.1.15) executed at 08:00 UTC, patching the IAVL proof verification flaw and re-enabling the cross-chain bridge.

2022-10-13

Cosmos SDK releases coordinated security disclosures for the 'Dragonfruit' and 'Dragonberry' bugs affecting all IBC-enabled chains using the same IAVL library.

2023-02-06

BNB Chain's Planck hard fork implements BEP-171, introducing permanent security enhancements including ICS23 proof verification, transfer time-locks, and emergency channel-pause mechanisms.