BSC-Based Uranium Finance Exploited for $50M

  • The attacker reportedly stole 80 BTC, 1,800 ETH, 17.9 million BUSD, 5.7 million USDT, 638,000 ADA, 26,500 DOT, 34,000 wBNB, and 112,000 U92.
  • Back on 3 April the project was attacked again, with the hacker stealing $1.3 million worth of BNB and BUSD at the time.
Hacker illustration

Shutterstock

Binance Smart Chain-based automated market maker (AMM) Uranium Finance has lost $50 million worth of crypto in a security incident, the DeFi project said on Twitter on 28 April.

According to the tweet, an unknown hacker attacked during the platform’s V2.1 migration event, and by exploiting a bug in the protocol was able to steal roughly $50 million worth of crypto. The Uranium Finance team has already contacted the Binance Smart Chain security team in an attempt to mitigate the situation and keep the funds on the network.

The attacker reportedly used a bug in the Uranium V2 balance modifier logic to inflate the platform’s balance by 100x, and then a swap function to drain the funds. The error allowed the hacker to steal several tokens, among which 80 BTC, 1,800 ETH, 17.9 million BUSD, 5.7 million USDT, 638,000 ADA, 26,500 DOT, 34,000 wBNB, and 112,000 U92, the project’s native token.

The hacker has already started moving and withdrawing the funds to the Ethereum network. He first started with the ADA and DOT tokens, which were swapped for the BSC version of ETH through DeFi project PancakeSwap, and then used cross-chain swap protocol AnySwap to migrate those funds to the Ethereum network. According to Etherscan data, the funds were transferred in 100 ETH increment.

This is not the first time the project had suffered from an attack this Month. Earlier in April, one of Uranium’s pools was exploited by a hacker, who was able to steal around $1.3 million worth of BUSD and BNB. Shortly after the attack, Uranium migrated to its V2 iteration and said it was able to recover around $1 million from the attack.

Hacks and exploits on DeFi projects have become more common in recent months. Back in March, BSC-based project Meerkat Finance lost $34 million in crypto only a day after it had officially launched. The ForceDAO DeFi protocol was also attacked by 5 hackers, who were able to drain 183 ETH from the project, only hours after it had launched an airdrop campaign on 3 April. Last week, EasyFi was also suffered an attack, which saw the project loose $70 million worth of tokens.

Discussion
Related Coverage
DoJ Cracks Down on $1.1M NFT Rug Pull
  • The founders of NFT project “Frosties”, Ethan Nguyen and Andre Llacuna, were arrested on Thursday and charged for fraud and money laundering.
  • The two individuals, who took off with $1.1 million in January, were preparing to hold another alleged NFT rug pull later this year.
March 25, 2022, 1:35 PM
justice

Shutterstock

How to Find The Best DeFi Pools For Your Assets
  • Investment opportunities in defi are innumerous, but finding the best hasn’t been an easy task thus far.
  • Yield Samurai is a decentralized finance data aggregator that helps investors find the highest-yielding pools in a few clicks.
5 Cryptoassets You Are Paid to Borrow
  • The BAT, LINK, UNI, WBTC, and ZRX pools on Compound all have a negative borrow rate for the past month.
  • The negative borrow rate is the result of Compound paying borrowers COM token rewards.