Coindesk Logo

Binance Chain DeFi Exchange Uranium Finance Loses $50M in Exploit

Binance Chain DeFi Exchange Uranium Finance Loses $50M in Exploit

Binance Chain DeFi Exchange Uranium Finance Loses $50M in Exploit

So far, only $9 million in ETH and BTC from the hacker's haul has made it off the Binance Smart Chain blockchain.

So far, only $9 million in ETH and BTC from the hacker's haul has made it off the Binance Smart Chain blockchain.

So far, only $9 million in ETH and BTC from the hacker's haul has made it off the Binance Smart Chain blockchain.

AccessTimeIconApr 28, 2021, 4:27 PM
Updated Aug 19, 2021, 9:03 AM

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

A Binance Smart Chain Uniswap clone, Uranium Finance, lost $50 million in tokens early Wednesday morning in an exploit.

The attacker took advantage of a vulnerability that has been present in Uranium's v2 contracts since the exchange upgraded over a week ago. After sending the minimum required tokens into Uranium's "pair contracts," the attacker drained the liquidity pools for multiple token pairs; a misplaced zero in the contract's balance field (or rather, the lack of one in a section that manages reserves) created the opening for the attack vector.

Out of the $50 million filched, pools for Binance's blockchain token (BNB) and its stablecoin (BUSD) each lost $18 million in funds. Ethereum and BTCB pools (Binance Chain's version of "wrapped'' bitcoin) collectively lost around $9 million worth of tokens. An additional $6.7 million in USDT and $1.7 million in DOT, ADA and Uranium's own token also disappeared from other pools. 

Post-hack, the BTCB has been swapped for real BTC, and the ETH is in an Ethereum mixer called Tornado Cash, according to The Block researcher Igor Igamberdiev. 

Notably, per a past exploit on Binance's BSC blockchain, the BNB and BUSD could be recovered through a rollback, though Binance has made no announcements on the matter.

'Whole farm at risk'

This vulnerability is present in all Uranium v2 pools. A Telegram pinned message by anonymous Uranium community member Baymax warns users to "STOP adding liquidity ... and remove liquidity if you can" because the exploit still leaves millions of dollars in tokens at risk in these v2 contracts.

Baymax advises users to migrate to the v2.1 contracts, which include a fix for the vulnerability. Notably, the attack came two hours before v2.1 went live, even though the exploit had been open since Uranium's last upgrade to v2 just over a week ago.

"As you all know, we commissioned an audit, and among the finding was an issue of low severity. Devs dug deeper and found an issue that had the whole farm at risk,” Baymax's pinned message reads. 

"There are a total of 7 people in Uranium who knew of the exploit. Outside of Uranium would be the 3 auditors contractors and their respective sub cons who may be aware of this flaw," it reads farther down. Later in the message, Baymax hypothesizes that "someone leaked information" that lead to the attacker exploiting the vulnerability.

Baymax did not respond to follow-up questions regarding the auditor of Uranium’s code.

Baymax also denied any involvement with Uranium beyond being a "community member" when speaking with CoinDesk. No other "community members," whether part of Uranium's core team or otherwise, responded by press time.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.