# Helio Exploit

<figure><img src="/files/qIVqqrsnyep7px7uQNNH" alt=""><figcaption></figcaption></figure>

Dec 2nd witnessed the exploit on the Ankr project, which led to a loss of $5 million, followed by an attack on Helio, resulting in the attacker gaining approximately $15.5 million. The Helio team acknowledged the ongoing exploit.

[Helio](https://docs.helio.money/) is a BNB-chain-based staking platform with $HAY as the protocol's native stablecoin, over collateralized by $BNB(contract source codes can be found [here](https://github.com/helio-money/helio-smart-contracts)), whereas Ankr provides a full suite of developer tools to help build web3 apps(across 18+ chains, making it one of the most powerful multi-chain tool suite for web3). Read more about the Ankr protocol [here](https://www.ankr.com/ankr-whitepaper-2.0.pdf).

## **What is an Oracle?**

An oracle is a program that fetches data between off-chain sources and on-chain services. A smart contract can not access any data feed outside of the chain the contract is deployed to, and as a result, we need oracles to provide this type of data to contracts should it be necessary.

## **Background**

To understand the Helios hack, let's first take a look at what went wrong with Ankr, a "node as a service" platform. The $aBNBc token contract is an [upgradable contract](https://blog.chain.link/upgradable-smart-contracts/), i.e., with the correct permissions, the user can make the [proxy contract](https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies) point to a new logic contract. The [attacker](https://bscscan.com/address/0xf3a465c9fa6663ff50794c698f600faa4b05c777) was able to compromise a private key that was used to govern contracts.&#x20;

Using this key, the attacker could upgrade the contract to their malicious version and mint themselves 10 trillion $aBNBc($5 million); see the attacker's transaction [here](https://bscscan.com/tx/0xe367d05e7ff37eb6d0b7d763495f218740c979348d7a3b6d8e72d3b947c86e33). The attacker then used PancakeSwap to swap $aBNBc for $USDC and $BNB and then swapped them for $ETH.

Due to this attack on Ankr, the price of aBNBc fell 99%( $0.02168), allowing the attacker to conduct the attack on helios.

Read the attack analysis [here](https://twitter.com/peckshield/status/1598508401755144196).

## **The Attack**

After the attacker had successfully exploited the Ankr protocol, another attacker [bought](https://bscscan.com/tx/0xaab2611b70f69cf79324c9bc5d0fcda5c95cabf713c74901a9613f212043dfc3) roughly around 183,000 $aBNBc using 10 $BNB from 1inch network.

The 183,000 $aBNBc were then used as collateral on the Helio Protocol to get 191,130 $hBNB tokens in return.

Helio's price oracle was not updated during the attack on $aBNBc. Due to this, the attacker [borrowed 16 million $HAY](https://bscscan.com/tx/0x391a665e8efad14cd63d5caed10f53881ebb8eab1c5ae14648db2d06cdd00cdd).

The attacker [bought](https://bscscan.com/tx/0x9b4d0eb8df95ac6d5548c6abed0e90ceccebcf2560ef41bdc514d74746c0dd8e) 15.5 million BUSD using the 16 million $HAY to finish the exploit.

The BUSDs were then transferred to the attacker's [address](https://bscscan.com/token/0xe9e7cea3dedca5984780bafc599bd69add087d56?a=0x4c7f5513894a99260bbfcf88311b544d6ca12757) (0x4c7f5513894a99260bbfcf88311b544d6ca12757) involving 3 different transactions.

Helio states that they are working to resolve this situation and, meanwhile, has advised the users to avoid any transactions in HAY. The HAY pool currently holds around $19 million in locked funds.

## **What Happened After The Attack?**

Helio's team [announced](https://twitter.com/Helio_Money/status/1598710454796390407) that Ankr protocol and Helio were working together and had agreed that Ankr would pay for Helio's bad debt (due to the exploit).

After the attack on Helio, the price of the stablecoin $HAY de-pegged to a value of $0.21, and to re-peg this value of $HAY, Ankr decided to buy any extra $HAY that is produced as a result of the exploited $aBNBc and then send $HAY to a burn address.

## **What Was Done Wrong?**

The whole chain of attacks traces back to the attacker(s) gaining access to a private key used to govern contracts. Ankr used a single private key, whereas they should have used a multisig instead, e.g., a 3/5 multisig where even if one of the private keys gets compromised, the attacker must compromise two more keys to make the attack work. This was a classic case of lack of access management.

## **Conclusions**

The attack started with a simple private key compromise, and as a result, \~$20 million was stolen by the attacker.

Oracle exploits continue to exist, and there is no 100% safeguard against these, although using decentralized oracle networks could be more resistant to this type of attack.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://callisto-network.gitbook.io/callisto-network/hack-investigation-dept./helio-exploit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.