Uranium Finance, a DeFi project on the Binance Smart Chain, was drained of more than $50 million
Another DeFi project on Binance Smart Chain has fallen into the hands of hackers. This time, Uranium Finance was hacked and stolen over $ 50 million. Currently, the project is contacting the Binance security team to resolve. However, according to the trace, the funds were sent to Tornado Cash – a non-custodial privacy solution for the Ethereum network based on zkSNARKs technology.
Accordingly, the team quickly informed users as follows:
‼️ We are in contact with Binance Security Team and in the process of escalating this.
If you are in possession of the funds or know someone who is contact me now to arrange a deal before this goes higher.
— Uranium Finance (@UraniumFinance) April 28, 2021
Uranium Finance joins the list of projects under attack
The attackers exploited a bug in the Uranium Finance smart contract to swap a single token for most of the other tokens in the protocol’s liquidity pool. Although Uranium is a fork of SushiSwap, another popular decentralized exchange on Ethereum, the team has not properly tuned the code. This leaves the protocol completely open, easy to attack.
Accordingly, Kyle Kistner, the co-founder of the bZx protocol has raised a question about Uranium’s upgrade timing. According to him, this is a rather strange time to upgrade:
“Today @UraniumFinance got rekt. The Uranium devs had just deployed v2 of their contracts, and 11 days later they asked everyone to migrate to v2.1. Pretty odd timing for an upgrade, right?”
Kistner then explained how the protocol was hacked as follows:
Now here’s the code used by the Uranium devs:
See the difference? 1000 was changed to 10000 in two places but not the end. The result? You could swap 1 wei of the input token for 98% of the total balance of the output token. pic.twitter.com/c8pRD55Fe9
— Kyle “1B TVL” Kistner | Fulcrum | bZx (@BeTheb0x) April 28, 2021
While the team was trying to patch the security hole, the hackers swapped into ETH and sent them to Tornado Cash, a privacy-preserving mixer.
The attacker sent ETH in batches of 100 to Tornado Cash, a privacy-preserving mixer | Source: Etherscan
This happened during the development of Uranium to the v2 upgrade. The team is currently in the process of contacting law enforcement and is working hard to partner with the Binance security team.
This is not the first hack on Binance Smart Chain. Lately, many protocols have been exploited by hackers like Uranium Finance or by its founding team, as is the case with the Meerkat Finance protocol. The project subsequently lost about 13 million BUSD and around 73,000 BNB, a total current value of $ 31.01 million at this time. Funds continue to be moved to many new blockchain addresses.
- Turkish Authorities Blocked All Onshore Bank Accounts Of Cryptocurrency Exchange Platform In The Country
- The Coolcat Ponzi Project Collapsed, Causing Billions Of VND In Damages To More Than 2,000 Vietnamese Investors