The Binance Smart Chain-based DeFi project advocates that it underwent exploitation early Wednesday and lost $50 million. The attackers targeted a bug in Uranium Finance’s smart contract to swap a single token for around all other tokens in the protocol’s liquidity pool. However, Uranium is a fork of SushiSwap, another well-known decentralized exchange on Ethereum; the protocol’s team did not properly adapt the code. This left the protocol vulnerable to the attack.
Uranium Finance took it to Twitter to explain the exploit which targeted its v2.1 token migration event. More particularly, Uranium claimed that the hackers took benefit of defects in the project’s balance modifier logic. This allowed them to inflate the balance by a factor of 100 and eventually to drain approximately $50 million. On-chain data shows that the stolen funds involve 80 BTC, 26,500 DOT, 1,800 ETH, 638,000 ADA, 112,000 u92 (the project’s native coin), and 5.7 million USDT.
Hacker Transferred the Funds to Tornado Cash
While the team attempted to fix the vulnerability, the hacker transferred the stolen funds to the Ethereum network, exchanged them for ETH, and sent it to the privacy-preserving mixer Tornado Cash. The exploit took place during Uranium’s migration to its v2 upgrade. The team is in the process of contacting law enforcement and is recently interacting with Binance’s security team.
Uranium also mentioned it was willing to settle a deal with individuals who owned the funds or acknowledged the mastermind behind the exploit before things went out of hand. Moreover, GitHub does not hold the Uranium contracts repository for some unknown reasons. Furthermore, no team members are on Uranium Finance’s official website, so it’s challenging to investigate further how the exploit occurred or who may have been accountable.
Moreover, the crypto community questioned Uranium’s narrative mentioning that the project is vulnerable. With history incorporating countless rug pulls, particularly in DeFi, several people recommended that this could have been an inside job. Additionally, the BSC also had to bear criticism with the increasing number of rug pulls carried on projects functioning on top of the network recently. Indeed, Uranium underwent a similar incident earlier in April, with the attacker withdrawing $1.3 million worth of BNB and BUSD.
Follow BitcoinWorld for the latest updates.