Binance Chain DeFi Exchange Uranium Finance Loses $50M in Exploit

So far, only $9 million in ETH and BTC from the hacker's haul has made it off the Binance Smart Chain blockchain.

AccessTimeIconApr 28, 2021 at 4:27 p.m. UTC
Updated Sep 14, 2021 at 12:48 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

A Binance Smart Chain Uniswap clone, Uranium Finance, lost $50 million in tokens early Wednesday morning in an exploit.

The attacker took advantage of a vulnerability that has been present in Uranium's v2 contracts since the exchange upgraded over a week ago. After sending the minimum required tokens into Uranium's "pair contracts," the attacker drained the liquidity pools for multiple token pairs; a misplaced zero in the contract's balance field (or rather, the lack of one in a section that manages reserves) created the opening for the attack vector.

Out of the $50 million filched, pools for Binance's blockchain token (BNB) and its stablecoin (BUSD) each lost $18 million in funds. Ethereum and BTCB pools (Binance Chain's version of "wrapped'' bitcoin) collectively lost around $9 million worth of tokens. An additional $6.7 million in USDT and $1.7 million in DOT, ADA and Uranium's own token also disappeared from other pools. 

Post-hack, the BTCB has been swapped for real BTC, and the ETH is in an Ethereum mixer called Tornado Cash, according to The Block researcher Igor Igamberdiev. 

Notably, per a past exploit on Binance's BSC blockchain, the BNB and BUSD could be recovered through a rollback, though Binance has made no announcements on the matter.

'Whole farm at risk'

This vulnerability is present in all Uranium v2 pools. A Telegram pinned message by anonymous Uranium community member Baymax warns users to "STOP adding liquidity ... and remove liquidity if you can" because the exploit still leaves millions of dollars in tokens at risk in these v2 contracts.

Baymax advises users to migrate to the v2.1 contracts, which include a fix for the vulnerability. Notably, the attack came two hours before v2.1 went live, even though the exploit had been open since Uranium's last upgrade to v2 just over a week ago.

"As you all know, we commissioned an audit, and among the finding was an issue of low severity. Devs dug deeper and found an issue that had the whole farm at risk,” Baymax's pinned message reads. 

"There are a total of 7 people in Uranium who knew of the exploit. Outside of Uranium would be the 3 auditors contractors and their respective sub cons who may be aware of this flaw," it reads farther down. Later in the message, Baymax hypothesizes that "someone leaked information" that lead to the attacker exploiting the vulnerability.

Baymax did not respond to follow-up questions regarding the auditor of Uranium’s code.

Baymax also denied any involvement with Uranium beyond being a "community member" when speaking with CoinDesk. No other "community members," whether part of Uranium's core team or otherwise, responded by press time.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.