en
Back to the list

BurgerSwap Explains $7.2 Million Flash Loan Attack in Post-Mortem

source-logo  decrypt.co 28 May 2021 16:02, UTC

In just 14 transactions, a flash loan attack drained $7.2 million from the wallets of BurgerSwap, a decentralized exchange based on the Binance Smart Chain.

Flash loans are instantaneous crypto loans. A borrower can do whatever they like with the funds, so long as they repay the loan within the same transaction.

BurgerSwap conducted a post-mortem investigation with blockchain security firm PeckShield to work out how flash loans manipulated the protocol.

They discovered that, at 9PM UTC yesterday, an attacker deployed a fake BEP-20 token—a generic token standard on the Binance Smart Chain—and used it to form a trading pair with BURGER, BurgerSwap’s native token.

Later, the attacker executed a code to manipulate the reserve supply of that trading pair, causing the price of $BURGER to move drastically. The attacker capitalized on that phony price difference through flash loans and continued to scheme their way through the exchange.

The attacker eventually made off with $1.6 million in Wrapped BNB, $6,800 in ETH), $3.2 million of BURGER coin, $1 million of xBURGER, a synthetic version of BURGER, 95,000 ROCKS ($152,000), $22,000 of Binance’s US dollar-pegged stablecoin, BUSD, and a further $1.4 million of USD stablecoin Tether.

“We understand what the community cares about the most. Detailed compensation plan is on the way”, BurgerSwap tweeted today. “All we [are] asking for is some time.”

7/9

(6) In total attacker received 8,800 $WBNB in the two latest steps;
(7) Swapped 493 $WBNB to around $108,700 BURGER on BurgerSwap;
(8) Attacker repay the flash swap; pic.twitter.com/p6oxQpGtQm

— BurgerSwap (@burger_swap) May 28, 2021

BurgerSwap launched in September 2020 on the Binance Smart Chain (BSC), a popular decentralized finance (DeFi) alternative to the Ethereum network.

The BurgerSwap attack comes a week after PancakeBunny, another Binance Smart Chain-hosted DEX, fell victim to a similar attack and lost $45 million in customer funds.

The views and opinions expressed by the author are for informational purposes only and do not constitute financial, investment, or other advice.
decrypt.co