Audit log

Every state-changing event for Ankr & Helio Protocol Hack: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-31 06:58:49Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,324,475

   sig

   2DdfbQxJsndU…rZX3WEUpcopyexplorer ↗

   hash

   5EiEH3B84Rhv…d3M7aNVRcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (19795 B) ▸

   {"actor":"system:backfill","investigation_id":"df5b1422-124a-4f09-aeb1-e9eb99225ae4","kind":"publish","page_slug":"ankr-helio","published_at":"2026-05-31T06:58:49.146Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Ankr & Helio Protocol Hack","sections":[{"content":"The Ankr–Helio incident unfolded across two distinct but linked exploits on December 1–2, 2022. The initial vector was a supply chain attack on Ankr's internal software pipeline that resulted in the compromise of its smart contract deployer private key. Using that key, the attacker uploaded a malicious aBNBc contract containing an unauthorized minting function (function signature 0x3b3a5522) that bypassed the standard onlyMinter access control check. The attacker minted approximately 6 quadrillion aBNBc tokens across multiple transactions and immediately swapped them across BNB Chain decentralized exchanges, draining liquidity pools for roughly $5 million in USDC before bridging those proceeds to Ethereum. The mass sell-off caused aBNBc's price to collapse 99.5%, from approximately $303 to under $2 within hours. Blockchain security firm PeckShield first detected the anomalous minting activity at approximately 00:35 UTC on December 2, 2022.","heading":"Attack Overview","severity":"critical","sources":[{"credibility":1,"name":"Ankr Blog: The aBNBc Token Report","type":"official","url":"https://www.ankr.com/blog/the-abnbc-token-report/"},{"credibility":2,"name":"CoinTelegraph: Ankr confirms exploit, asks for immediate trading halt","type":"news","url":"https://cointelegraph.com/news/ankr-confirms-exploit-asks-for-immediate-trading-halt"},{"credibility":2,"name":"The Block: Attackers pocket $20 million in exploits on Ankr and Helio","type":"news","url":"https://www.theblock.co/post/191668/attacker-pockets-20-million-in-exploits-on-ankr-and-helio"}]},{"content":"On December 20, 2022, Ankr disclosed that a former team member was responsible for the exploit. According to Ankr's post-incident statement, the ex-employee inserted malicious code into a package of planned updates to the team's internal software. When the software was subsequently updated, the malicious code created a vulnerability that allowed the attacker to extract the deployer private key from Ankr's servers. This attack vector — embedding a backdoor in a dependency or internal toolchain update — is classified as a software supply chain attack. Ankr stated it had alerted law enforcement and was pursuing legal action against the former employee, though the individual was not publicly identified. The disclosure marked one of the more notable confirmed insider-threat incidents in DeFi history.","heading":"Insider Threat: Former Employee Supply Chain Attack","severity":"critical","sources":[{"credibility":1,"name":"CoinDesk: DeFi Protocol Ankr Says Ex-Employee Caused $5M Exploit","type":"news","url":"https://www.coindesk.com/business/2022/12/21/defi-protocol-ankr-says-ex-employee-caused-5m-exploit"},{"credibility":2,"name":"CoinTelegraph: Ankr says ex-employee caused $5M exploit, vows to improve security","type":"news","url":"https://cointelegraph.com/news/ankr-says-ex-employee-caused-5m-exploit-vows-to-improve-security"},{"credibility":2,"name":"TokenInsight: Ankr Exploit of aBNBc Due to Malicious Supply Chain Attack by a Former Team Member","type":"news","url":"https://tokeninsight.com/en/news/ankr-exploit-of-abnbc-due-to-malicious-supply-chain-attack-by-a-former-team-member"}]},{"content":"Within hours of the Ankr exploit, a second attacker capitalized on Helio Protocol's stale price oracle. Helio allowed users to deposit aBNBc as collateral to borrow HAY, its BNB Chain-based stablecoin, at pre-crash valuations. The attacker purchased 183,885 aBNBc tokens on 1inch for approximately 10 BNB (worth roughly $2,879 at the time), then deposited those tokens into Helio Protocol. Because Helio's price oracle had not yet updated to reflect the crashed aBNBc price — the protocol was relying on outdated Chainlink pricing — the attacker was credited as if the collateral still held its original value. This enabled the borrowing of 16,444,740 HAY tokens worth approximately $16.4 million. The attacker swapped the HAY for approximately 15.5 million BUSD and transferred those funds to a Binance hot wallet. The resulting bad debt caused HAY to de-peg severely, falling from $1.00 to approximately $0.20 before partially recovering. Helio acknowledged the protocol's total bad debt reached approximately 19 million HAY.","heading":"Helio Protocol Cascade: Oracle Failure and HAY De-Peg","severity":"critical","sources":[{"credibility":1,"name":"CoinDesk: How Attackers Made $15M From Staking Platform Helio After Ankr Exploit","type":"news","url":"https://www.coindesk.com/tech/2022/12/02/how-attackers-made-15m-from-staking-platform-helio-after-ankr-exploit"},{"credibility":2,"name":"Neptune Mutual: Report on the Helio Protocol Hack","type":"news","url":"https://medium.com/neptune-mutual/report-know-about-the-helio-protocol-hack-44197d2be605"},{"credibility":1,"name":"Lista DAO (Helio Protocol): Helio Protocol's Impact in the aBNBc Exploit","type":"official","url":"https://medium.com/@ListaDAO/helio-protocols-impact-in-the-abnbc-exploit-6954e0199096"}]},{"content":"Binance CEO Changpeng Zhao announced on December 2, 2022, that Binance had frozen approximately $3 million in funds connected to the combined exploits after the attackers routed stolen assets through the exchange. A portion of the Ankr exploiter's proceeds — estimated at 900 BNB (approximately $253,000) — was also sent to Tornado Cash, the cryptocurrency mixing protocol. Despite Binance's intervention, the majority of the approximately $20 million in combined losses was not recovered.","heading":"Binance Intervention and Fund Recovery","severity":"high","sources":[{"credibility":1,"name":"The Record (Recorded Future): Binance freezes $3 million worth of crypto stolen in Ankr hack","type":"news","url":"https://therecord.media/binance-freezes-3-million-worth-of-crypto-stolen-in-ankr-hack"},{"credibility":2,"name":"CryptoSlate: Binance freezes $3M from Ankr exploit","type":"news","url":"https://cryptoslate.com/binance-freezes-3m-from-ankr-exploit/"}]},{"content":"Ankr announced a multi-stage recovery program shortly after the exploit. The protocol took a snapshot of aBNBc and aBNBb holders as of December 2, 2022, and committed $5 million to compensate affected liquidity providers. On December 9, 2022, Ankr airdropped the newly issued ankrBNB token to prior aBNBc and aBNBb holders based on their snapshot balances. On December 12, 2022, Ankr airdropped BNB to users who had supplied BNB through affected aBNBc or aBNBb liquidity pools. Ankr stated that 17 of 19 affected DeFi protocols received 100% compensation; Stader and pStake users received 50% of their losses. The aBNBc and aBNBb tokens were discontinued. Additionally, Ankr deployed a separate $15 million recovery fund — distinct from the $5 million user compensation — directed toward buying back excess HAY from Helio Protocol and alleviating Helio's bad debt. On the security front, Ankr implemented multi-signature authentication for future deployer key operations, requiring sign-off from multiple key custodians within time-restricted intervals.","heading":"Ankr Compensation and Security Response","severity":"medium","sources":[{"credibility":1,"name":"Ankr Blog: Details of Ankr's BNB Exploit Relief Efforts","type":"official","url":"https://www.ankr.com/blog/the-details-of-ankrs-bnb-exploit-relief-efforts-and-our-stance-on-compensation/"},{"credibility":1,"name":"Ankr Blog: Ankr Makes Progress With Recovery Program Targets and Milestones","type":"official","url":"https://www.ankr.com/blog/ankr-makes-progress-with-recovery-program-targets-and-milestones/"},{"credibility":2,"name":"CoinTelegraph: Ankr deploys $15M to make users whole as Helio stablecoin recovers","type":"news","url":"https://cointelegraph.com/news/ankr-deploys-15m-to-make-whole-users-as-helio-stablecoin-recovers-after-exploit"},{"credibility":2,"name":"FinanceFeeds: Ankr airdrops new tokens, bought 6.8M HAY to ease bad debts","type":"news","url":"https://financefeeds.com/ankr-airdrops-new-tokens-bought-6-8m-hay-to-ease-bad-debts/"}]},{"content":"Following the exploit, Helio Protocol immediately paused all protocol operations and initiated a buyback of approximately 6.8 million HAY tokens to help restore the peg. Helio reached an agreement with Ankr in which Ankr assumed responsibility for the bad debt arising from the aBNBc collateral failure. Helio committed to replacing aBNBc collateral with Ankr's new ankrBNB token secured by multi-signature controls. HAY recovered from its low of $0.20 to approximately $0.95–$0.96. In July 2023, Helio Protocol announced a strategic merger with Synclub, a BNB Chain staking infrastructure provider. On February 6, 2024, the combined entity officially rebranded as Lista DAO, with HAY renamed to lisUSD, SnBNB renamed to lisBNB, and the governance token HELIO renamed to LISTA. Lista DAO has since expanded to Ethereum mainnet.","heading":"Helio Protocol Response and Rebrand to Lista DAO","severity":"medium","sources":[{"credibility":1,"name":"Lista DAO (Helio Protocol Medium): Helio Protocol's Impact in the aBNBc Exploit","type":"official","url":"https://medium.com/@ListaDAO/helio-protocols-impact-in-the-abnbc-exploit-6954e0199096"},{"credibility":1,"name":"Helio.Money Medium: A new chapter — Introducing Lista DAO","type":"official","url":"https://medium.com/helio-money/a-new-chapter-introducing-lista-dao-771d69be7930"},{"credibility":2,"name":"CoinTelegraph: Ankr deploys $15M to make users whole as Helio stablecoin recovers","type":"news","url":"https://cointelegraph.com/news/ankr-deploys-15m-to-make-whole-users-as-helio-stablecoin-recovers-after-exploit"}]},{"content":"The Ankr–Helio incident highlights two distinct but interrelated failure modes. First, centralized key management — where a single deployer private key held on a company server could be exfiltrated through a malicious internal software update — represents a systemic risk in DeFi protocols that retain administrative upgrade authority. Second, Helio's reliance on a price oracle that did not update in near-real-time to reflect catastrophic collateral price crashes created an exploitable window. The oracle latency allowed a $2,879 purchase of worthless tokens to be leveraged into a $15.5 million borrow. Industry analysts and security researchers subsequently identified these as illustrative of broader DeFi risk categories: insider threat, supply chain compromise, and price oracle manipulation. The use of Tornado Cash to launder a portion of proceeds further complicated fund recovery.","heading":"Security Lessons and Risk Assessment","severity":"high","sources":[{"credibility":2,"name":"CoinTelegraph Magazine: DeFi's billion-dollar secret — The insiders responsible for hacks","type":"news","url":"https://cointelegraph-magazine.com/defis-billion-dollar-secret-the-insiders-responsible-for-hacks/"},{"credibility":2,"name":"Neptune Mutual: Report on the Helio Protocol Hack","type":"news","url":"https://medium.com/neptune-mutual/report-know-about-the-helio-protocol-hack-44197d2be605"},{"credibility":2,"name":"Lossless: Another Day, Another Hack — Ankr's $5M Exploit","type":"news","url":"https://medium.com/@losslessdefi/another-day-another-hack-ankrs-5m-exploit-d3989e858f8c"}]}],"sources_used":[{"name":"Ankr Blog: The aBNBc Token Report","type":"official","url":"https://www.ankr.com/blog/the-abnbc-token-report/"},{"name":"Ankr Blog: Details of Ankr's BNB Exploit Relief Efforts","type":"official","url":"https://www.ankr.com/blog/the-details-of-ankrs-bnb-exploit-relief-efforts-and-our-stance-on-compensation/"},{"name":"Ankr Blog: Recovery Program Targets and Milestones","type":"official","url":"https://www.ankr.com/blog/ankr-makes-progress-with-recovery-program-targets-and-milestones/"},{"name":"CoinDesk: DeFi Protocol Ankr Says Ex-Employee Caused $5M Exploit","type":"news","url":"https://www.coindesk.com/business/2022/12/21/defi-protocol-ankr-says-ex-employee-caused-5m-exploit"},{"name":"CoinDesk: How Attackers Made $15M From Staking Platform Helio After Ankr Exploit","type":"news","url":"https://www.coindesk.com/tech/2022/12/02/how-attackers-made-15m-from-staking-platform-helio-after-ankr-exploit"},{"name":"CoinTelegraph: Ankr confirms exploit, asks for immediate trading halt","type":"news","url":"https://cointelegraph.com/news/ankr-confirms-exploit-asks-for-immediate-trading-halt"},{"name":"CoinTelegraph: Ankr says ex-employee caused $5M exploit, vows to improve security","type":"news","url":"https://cointelegraph.com/news/ankr-says-ex-employee-caused-5m-exploit-vows-to-improve-security"},{"name":"CoinTelegraph: Ankr deploys $15M to make users whole as Helio stablecoin recovers","type":"news","url":"https://cointelegraph.com/news/ankr-deploys-15m-to-make-whole-users-as-helio-stablecoin-recovers-after-exploit"},{"name":"CoinTelegraph: Ankr says no one should trade aBNBc, only LPs caught off guard will be compensated","type":"news","url":"https://cointelegraph.com/news/ankr-says-no-one-should-trade-abnbc-only-lps-caught-off-guard-will-be-compensated"},{"name":"The Block: Attackers pocket $20 million in exploits on Ankr and Helio","type":"news","url":"https://www.theblock.co/post/191668/attacker-pockets-20-million-in-exploits-on-ankr-and-helio"},{"name":"The Record (Recorded Future): Binance freezes $3 million worth of crypto stolen in Ankr hack","type":"news","url":"https://therecord.media/binance-freezes-3-million-worth-of-crypto-stolen-in-ankr-hack"},{"name":"Neptune Mutual: Report on the Helio Protocol Hack","type":"news","url":"https://medium.com/neptune-mutual/report-know-about-the-helio-protocol-hack-44197d2be605"},{"name":"Lista DAO (Helio Protocol): Helio Protocol's Impact in the aBNBc Exploit","type":"official","url":"https://medium.com/@ListaDAO/helio-protocols-impact-in-the-abnbc-exploit-6954e0199096"},{"name":"Helio.Money Medium: A new chapter — Introducing Lista DAO","type":"official","url":"https://medium.com/helio-money/a-new-chapter-introducing-lista-dao-771d69be7930"},{"name":"CryptoSlate: Binance freezes $3M from Ankr exploit","type":"news","url":"https://cryptoslate.com/binance-freezes-3m-from-ankr-exploit/"},{"name":"FinanceFeeds: Ankr airdrops new tokens, bought 6.8M HAY to ease bad debts","type":"news","url":"https://financefeeds.com/ankr-airdrops-new-tokens-bought-6-8m-hay-to-ease-bad-debts/"},{"name":"CoinTelegraph Magazine: DeFi's billion-dollar secret — The insiders responsible for hacks","type":"news","url":"https://cointelegraph-magazine.com/defis-billion-dollar-secret-the-insiders-responsible-for-hacks/"},{"name":"Lista DAO X: Official rebrand announcement","type":"official","url":"https://x.com/lista_dao/status/1754479358377394625"}],"summary":"On December 1–2, 2022, a former Ankr employee carried out a supply chain attack that compromised the protocol's deployer private key, enabling the minting of trillions of aBNBc tokens and the draining of approximately $5 million in liquidity. Hours later, a separate attacker exploited Helio Protocol's slow price oracle to borrow $16.4 million in HAY stablecoin against nearly worthless aBNBc collateral, ultimately netting around $15.5 million. Combined losses exceeded $20 million, making it one of the most significant DeFi insider-threat incidents of 2022.","timeline":[{"date":"2022-12-01","event":"Former Ankr employee's previously inserted malicious code extracts the deployer private key from Ankr's internal server. The attacker uses the key to deploy a modified aBNBc contract with an unauthorized minting function.","source":"CoinDesk: Ankr ex-employee disclosure","source_url":"https://www.coindesk.com/business/2022/12/21/defi-protocol-ankr-says-ex-employee-caused-5m-exploit"},{"date":"2022-12-02","event":"At approximately 00:35 UTC, PeckShield detects anomalous aBNBc minting. Attacker mints approximately 6 quadrillion aBNBc tokens and dumps them on BNB Chain DEXes, netting roughly $5 million in USDC before bridging to Ethereum. aBNBc price falls 99.5% to under $2.","source":"Ankr Blog: The aBNBc Token Report","source_url":"https://www.ankr.com/blog/the-abnbc-token-report/"},{"date":"2022-12-02","event":"A second attacker purchases 183,885 aBNBc tokens on 1inch for ~10 BNB (~$2,879), deposits them into Helio Protocol, and borrows 16,444,740 HAY (~$16.4M) via a stale price oracle. HAY is swapped for ~15.5M BUSD and transferred to Binance.","source":"CoinDesk: How Attackers Made $15M From Helio After Ankr Exploit","source_url":"https://www.coindesk.com/tech/2022/12/02/how-attackers-made-15m-from-staking-platform-helio-after-ankr-exploit"},{"date":"2022-12-02","event":"Ankr confirms the exploit publicly and asks exchanges to halt trading of aBNBc. Binance CEO Changpeng Zhao announces Binance has frozen approximately $3 million of stolen funds.","source":"The Record: Binance freezes $3M from Ankr hack","source_url":"https://therecord.media/binance-freezes-3-million-worth-of-crypto-stolen-in-ankr-hack"},{"date":"2022-12-02","event":"HAY stablecoin de-pegs to $0.20. Helio Protocol pauses all operations and initiates a HAY buyback program. Ankr announces $5M compensation plan for affected liquidity providers.","source":"BeinCrypto: BNB-Based HAY Destablecoin Loses Peg Following Ankr Exploit","source_url":"https://beincrypto.com/bnb-based-hay-destablecoin-loses-peg-ankr-exploit/"},{"date":"2022-12-05","event":"Ankr discloses formal reimbursement plan for affected users, specifying compensation only for liquidity providers 'caught off guard' — not for traders who purchased aBNBc after the exploit became public.","source":"CoinTelegraph: Ankr says no one should trade aBNBc","source_url":"https://cointelegraph.com/news/ankr-says-no-one-should-trade-abnbc-only-lps-caught-off-guard-will-be-compensated"},{"date":"2022-12-09","event":"Ankr airdrops ankrBNB tokens to prior aBNBc and aBNBb holders based on December 2 snapshot. aBNBc and aBNBb tokens are officially discontinued.","source":"Ankr Blog: Recovery Program Targets and Milestones","source_url":"https://www.ankr.com/blog/ankr-makes-progress-with-recovery-program-targets-and-milestones/"},{"date":"2022-12-12","event":"Ankr completes BNB airdrops to affected DeFi liquidity pool participants. Ankr deploys $15M additional recovery fund directed at Helio's bad debt, purchasing excess HAY.","source":"FinanceFeeds: Ankr airdrops new tokens, bought 6.8M HAY to ease bad debts","source_url":"https://financefeeds.com/ankr-airdrops-new-tokens-bought-6-8m-hay-to-ease-bad-debts/"},{"date":"2022-12-20","event":"Ankr publicly discloses that a former team member conducted the attack via a supply chain exploit, inserting malicious code into an internal software update to steal the deployer key. Ankr states law enforcement has been alerted.","source":"CoinDesk: DeFi Protocol Ankr Says Ex-Employee Caused $5M Exploit","source_url":"https://www.coindesk.com/business/2022/12/21/defi-protocol-ankr-says-ex-employee-caused-5m-exploit"},{"date":"2023-07-04","event":"Helio Protocol announces a strategic merger with Synclub, a BNB Chain liquid staking provider, beginning the transition toward a new brand identity.","source":"Lista DAO Medium: Helio & Synclub Merger","source_url":"https://medium.com/helio-money/a-new-chapter-introducing-lista-dao-771d69be7930"},{"date":"2024-02-06","event":"Helio Protocol and Synclub officially relaunch as Lista DAO. HAY is renamed lisUSD, SnBNB is renamed lisBNB, and HELIO governance token is renamed LISTA.","source":"Lista DAO X announcement","source_url":"https://x.com/lista_dao/status/1754479358377394625"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 4ec77ba3-95c4-45e5-b076-bcb8b6f23059copy