Belt Finance, a platform that provides automated market making for decentralized finance (DeFi), was hacked Saturday in a flash loan attack that resulted in a profit of $6.23 million for the perpetrator and an overall $50 million loss for the platform.

  • It's the latest attack on a DeFi protocol built on Binance Smart Chain, one of the so-called Ethereum killers that's built by centralized crypto exchange giant Binance.
  • In a blog post, Belt Finance said the attacker created a smart contract that used PancakeSwap for flash loans and exploited its beltBUSD pool and its strategy protocols and then proceeded to execute the contract eight times for a total profit of 6.23 million BUSD (US $6.23 million).
  • BeltBUSD vault users suffered a 21.36% loss of funds, while 4Belt pool users lost 5.51%, the protocol said. No other pools/vaults were affected. Overall, the attack cost the beltBUSD pool a combined loss of 50m BUSD (US $50 million) consisting of 43.8m in fees and the 6.23 million BUSD that the attacker withdrew as profit.
  • The protocol said it paused withdrawals and deposits as soon as it were aware of the attack and that the vulnerability that allowed the attack to occur has been patched.
  • In its blog post dated Sunday, Belt Finance said withdrawals and deposits would resume sometime in the next 24 to 48 hours and that it's working on a "compensation plan" that will be released in next 48 hours.

UPDATE (May 30, 23:14 UTC): Adds that beltBUSD pool’s loss was a total 50 million BUSD with the 43.8 million in fees added to the 6.23 million in profits taken by the attacker.

Disclosure
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.