In just 14 transactions, a flash loan attack drained $7.2 million from the wallets of BurgerSwap, a decentralized exchange based on the Binance Smart Chain.
Flash loans are instantaneous crypto loans. A borrower can do whatever they like with the funds, so long as they repay the loan within the same transaction.
BurgerSwap conducted a post-mortem investigation with blockchain security firm PeckShield to work out how flash loans manipulated the protocol.
They discovered that, at 9PM UTC yesterday, an attacker deployed a fake BEP-20 token—a generic token standard on the Binance Smart Chain—and used it to form a trading pair with BURGER, BurgerSwap’s native token.
Later, the attacker executed a code to manipulate the reserve supply of that trading pair, causing the price of $BURGER to move drastically. The attacker capitalized on that phony price difference through flash loans and continued to scheme their way through the exchange.
The attacker eventually made off with $1.6 million in Wrapped BNB, $6,800 in ETH), $3.2 million of BURGER coin, $1 million of xBURGER, a synthetic version of BURGER, 95,000 ROCKS ($152,000), $22,000 of Binance’s US dollar-pegged stablecoin, BUSD, and a further $1.4 million of USD stablecoin Tether.
“We understand what the community cares about the most. Detailed compensation plan is on the way”, BurgerSwap tweeted today. “All we [are] asking for is some time.”
7/9
(6) In total attacker received 8,800 $WBNB in the two latest steps;
(7) Swapped 493 $WBNB to around $108,700 BURGER on BurgerSwap;
(8) Attacker repay the flash swap; pic.twitter.com/p6oxQpGtQm— BurgerSwap (@burger_swap) May 28, 2021
BurgerSwap launched in September 2020 on the Binance Smart Chain (BSC), a popular decentralized finance (DeFi) alternative to the Ethereum network.
The BurgerSwap attack comes a week after PancakeBunny, another Binance Smart Chain-hosted DEX, fell victim to a similar attack and lost $45 million in customer funds.