Hacker illustration

Binance Smart Chain-based automated market maker (AMM) Uranium Finance has lost $50 million worth of crypto in a security incident, the DeFi project said on Twitter on 28 April.

According to the tweet, an unknown hacker attacked during the platform’s V2.1 migration event, and by exploiting a bug in the protocol was able to steal roughly $50 million worth of crypto. The Uranium Finance team has already contacted the Binance Smart Chain security team in an attempt to mitigate the situation and keep the funds on the network.

The attacker reportedly used a bug in the Uranium V2 balance modifier logic to inflate the platform’s balance by 100x, and then a swap function to drain the funds. The error allowed the hacker to steal several tokens, among which 80 BTC, 1,800 ETH, 17.9 million BUSD, 5.7 million USDT, 638,000 ADA, 26,500 DOT, 34,000 wBNB, and 112,000 U92, the project’s native token.


The hacker has already started moving and withdrawing the funds to the Ethereum network. He first started with the ADA and DOT tokens, which were swapped for the BSC version of ETH through DeFi project PancakeSwap, and then used cross-chain swap protocol AnySwap to migrate those funds to the Ethereum network. According to Etherscan data, the funds were transferred in 100 ETH increment.

This is not the first time the project had suffered from an attack this Month. Earlier in April, one of Uranium’s pools was exploited by a hacker, who was able to steal around $1.3 million worth of BUSD and BNB. Shortly after the attack, Uranium migrated to its V2 iteration and said it was able to recover around $1 million from the attack.

Hacks and exploits on DeFi projects have become more common in recent months. Back in March, BSC-based project Meerkat Finance lost $34 million in crypto only a day after it had officially launched. The ForceDAO DeFi protocol was also attacked by 5 hackers, who were able to drain 183 ETH from the project, only hours after it had launched an airdrop campaign on 3 April. Last week, EasyFi was also suffered an attack, which saw the project loose $70 million worth of tokens.

Show Comments