cryptobriefing.com
Yet another DeFi project on the Binance Smart Chain has fallen to hackers. This time, Uranium Finance was drained of more than $50 million.
Uranium Finance Joins List of Hacked Projects
The attackers exploited a bug in Uranium Finance’s smart contract to swap a single token for almost all other tokens in the protocol’s liquidity pool.
Though Uranium is a fork of SushiSwap, another popular decentralized exchange on Ethereum, the protocol’s team didn’t correctly adapt the code. This left the protocol open to attack.
Now here's the code used by the Uranium devs:
See the difference? 1000 was changed to 10000 in two places but not the end. The result? You could swap 1 wei of the input token for 98% of the total balance of the output token. pic.twitter.com/c8pRD55Fe9
— Kyle "1B TVL" Kistner | Fulcrum | bZx (@BeTheb0x) April 28, 2021
While the team scrambled to patch the vulnerability, the hacker sent the stolen funds to the Ethereum network, exchanged them for ETH, and sent it to the privacy-preserving mixer Tornado Cash.
The exploit occurred during Uranium’s migration to its v2 upgrade. The team is in the process of contacting law enforcement and is currently cooperating with Binance’s security team.
This is not the first hack on the Binance Smart Chain. Many protocols have been exploited lately, either by hackers like Uranium Finance or by its founding team, as was the case for yield farming protocol Meerkat Finance.
Disclaimer: The author held BTC, ETH, and several other cryptocurrencies at the time of writing.