Source: gualtiero boffi – shutterstock
- In the past three days, two new DeFi platforms on the Binance Smart Chain have suffered attacks by hackers, losing $6.3 million and $7.2 million respectively.
- BSC has claimed that these attacks are targeted and called on all developers on its blockchain to apply all the security measures possible, including triple-checking their code.
Another day, another attack on Binance Smart Chain. The blockchain network has barely seen a week without a flash loan attack in the past two months. The latest is on Belt Finance, a DeFi platform that according to experts lost money to the same flash loan exploit its predecessors have suffered from. Just two days ago, BurgerSwap lost over $7 million to a similar exploit in what is now becoming a deeply worrying trend.
The Belt Finance attack
The Belt Finance incident was a textbook attack, with a few minor tweaks, according to Rekt Blog, a site that details DeFi hacks. The attacker exploited an incorrect share valuation that helped him to add another notch to the “now infamous flash loan exploit season on the BSC.”
Yet another fork of a fork has rolled off the conveyor belt with $6.3M falling straight into the hands of the hacker. Despite this being a slightly more sophisticated attack than some of the previous occurrences, all the familiar hallmarks are present.
The attack, as with many others, started with acquiring BUSD, the Binance stablecoin, from another DeFi platform, this time PancakeSwap. As per security analysts, the attackers took out 8 flash loans from PancakeSwap for $385 million in total. They then exploited the BeltBUSD vault’s ‘Elipsis’ strategy as it was the most undersubscribed. After that, they leaked the funds via the Venus strategy.
Elipsis is a decentralized exchange that enables users to swap stablecoins on BSC with low slippage while Venus is the leading DeFi platform on BSC.
Mudit Gupta, a core developer at SushSwap, took a deep dive into the attack. According to him, the amount lost to the hackers was much more than initially revealed. He put the stolen funds at $13 million.
The way beltBUSD multi-strategy vault works is that it has a target balance for all strategies. When anyone deposits money, it deposits it into the most undersubscribed strategy. When someone withdraws money, it withdraws it from the most oversubscribed strategy.
At the start of the exploit, Venus was most undersubscribed and hence the deposits went towards it. After the large deposit from the attacker, Venus became the most oversubscribed strategy and hence, the withdrawals came from it as well.
— Mudit Gupta (@Mudit__Gupta) May 30, 2021
The BurgerSwap attack
Just days ago, yet another BSC platform was under attack, losing over $7 million. The attacker made away with $3.2 million in BURGER tokens, $1.6 million worth of Wrapped BNB tokens and $1.4 million worth of Tether from BurgerSwap.
The BurgerSwap attack took place on May 28, the platform revealed on Twitter. About $7.2 million was stolen in the attack in which the attackers created their own fake coin and formed a new trading pair with the BURGER token.
BurgerSwap Flash Loan Attack Details:
— BurgerSwap (@burger_swap) May 28, 2021
BurgerSwap had become quite popular on BSC, having launched last year. It is a clone of Uniswap v2 – meaning that its code is almost identical to v2’s. However, as Uniswap founder Hayden Adams revealed, BurgerSwap developers happened to emit a crucial line of code that’s responsible for securing the liquidity pools.
This thread sounds complicated. Here’s what happened very simply.
Uniswap v2 fork removed the only line that enforces x*y=k from core:
So core could very trivially be drained.
This is the line that was removed:https://t.co/iN3nc1xMTm
— Hayden Adams 🦄 (@haydenzadams) May 28, 2021
The BurgerSwap token is currently trading at $6.57, down from the all-time high of $25.18 which it hit on May 3. Its volume has lost about 30 percent since the attack.
We are being targeted: BSC
Amid the rise of attacks on DeFi platforms on Binance Smart Chain, the blockchain project claims the attacks are targeting projects in its ecosystem. BSC took to Twitter to acknowledge the unfortunate rise of flash loan attacks on its blockchain. It claimed that “well-organized hackers are targeting BSC now. It is a very challenging time for the BSC community.”
There are >8 #flashloan hacks recently, we believe, an well organized hackers are targeting #BSC now. It is very challenging time for the BSC communty. We are calling for the actions for all the #dapps:
— Binance Smart Chain (@BinanceChain) May 30, 2021
BSC called on dApp builders to adhere to a number of measures to beef up their security. One of these is working with internal auditors to check the code. The developers must also monitor their platforms in real-time and pause them when they detect any abnormality.
BSC dApps must also plan a contingency plan in case the worst happens. To further ensure any loopholes are detected before attackers exploit them, they should plan a bounty program.
The warning to developers comes days after a Binance representative stated that the exchange can’t do much to recover the cryptos that attackers steal. Samy Karim was speaking at the Consensus Conference recently, stating:
BSC is a public permissionless infrastructure so anybody can deploy projects there…. It is not possible in the way that a lot of people think for there to be some kind of rollback,