173 Interactions, 2 Today
Uranium Finance joins the growing list of hacked Binance Smart Chain ventures.
Uranium Finance, an integrated market maker network on the Binance Smart Chain, has announced a security breach that resulted in a $50 million loss.
Tweeting on Wednesday, Uranium revealed that the exploit targeted its v2.1 token migration event and that the team was in contact with the Binance security team to mitigate the situation.
(1/2)‼️ Uranium migration has been exploited, the following address has 50m in it The only thing that matters is keeping the funds on BSC, everyone please start tweeting this address to Binance immediately asking them to stop transfers.
— Uranium Finance (@UraniumFinance) April 28, 2021
The hacker allegedly exploited flaws in Uranium’s balance modifier logic, inflating the project’s balance by a factor of 100.
According to reports, the perpetrator was able to rob $50 million from the project as a result of this mistake. At the time of publication, the hacker’s contract already held $36.8 million in Binance Coin (BNB) and Binance USD (BUSD).
80 Bitcoin (BTC), 1,800 Ether (ETH), 26,500 Polkadot (DOT), 5.7 million Tether (USDT), 638,000 Cardano (ADA), and 112,000 u92, the project’s native currency, are among the remaining looted assets.
According to BscScan, the intruder exchanged the ADA and DOT tokens for ETH, raising the Ether stash to about 2,400 ETH.
Meanwhile, the suspected mastermind of the robbery has already transferred 2,400 ETH, valued at about $5.7 million, using the Ethereum privacy tool Tornado Cash.
According to data from the Ethereum chain tracking service Etherscan, funds are flowing in 100 ETH increments, with the cross-chain mutual trading bridge AnySwap being used to transfer funds from BSC to the Ethereum network.
According to Uranium, the project has contacted the Binance security team in order to discourage the hacker from withdrawing further funds from the BSC ecosystem.
Binance did not respond immediately to Cointelegraph’s request for comment. According to a Uranium representative, the error is yet to be fixed, and consumers have been told to avoid supplying liquidity on the project and cash out their funds.
The team has developed a Telegram community for hack victims, pledging to keep them updated on the progress being made to retrieve the stolen funds.
Wednesday’s hack is the second attack on the Uranium project in quick succession. Earlier in April, hackers exploited one of the platform’s pools, stealing about $1.3 million worth of BUSD and BNB.
Indeed, the incident led to the first migration to v2 less than two weeks ago. In a previous announcement, the Uranium developer team said that multiple entities had audited its v2 contracts and that it had learned from its previous mistakes.
Meanwhile, speculation is rife as to whether the attack was an inside job, given the sudden decision to engineer another version upgrade barely 11 days after completing the v2 migration.
Today @UraniumFinance got rekt. The Uranium devs had just deployed v2 of their contracts, and 11 days later they asked everyone to migrate to v2.1. Pretty odd timing for an upgrade, right?
Here’s how the bug worked. ?⬇️
— Kyle “1B TVL” Kistner | Fulcrum | bZx (@BeTheb0x) April 28, 2021
Hacks involving smart contract bugs are popular in the decentralised finance room, including in fully audited ventures, as was the case with MonsterSlayer Finance earlier this month. Meerkat, a Yearn.finance clone on the BSC, allegedly “exit-scammed” its users in March, taking $31 million in the process.
Days later, the project’s developer team announced that the supposed “rug pull” was a test, and that the funds would be returned. Another BSC-based project, TurtleDex, also exit-scammed shortly after its completion, stealing over 9,000 BNB tokens collected during the pre-sale.