1/10
— Igor Igamberdiev (@FrankResearcher) April 28, 2021
So, Uranium Finance (another Uniswap v2 fork on BSC) was exploited for $51M, right?
Nope, everything is much more complicated.
Let’s figure out what happened.👇 pic.twitter.com/D6EsW3kZXV
Among the cryptocurrencies stolen from the Uranium protocol were:
- 80 bitcoin ($4.3 million)
- 1,800 ETH ($4.7 million)
- 17.9 million BUSD ($17.9 million)
- 5.7 million USDT ($5.7 million)
- 638,000 ADA ($0.8 million)
- 26,500 DOT ($0.8 million)
- 4,000 wrapped BNB ($18 million)
- 112,000 U92 Uranium tokens
The attacker(s) have already utilized Anyswap to convert ADA and DOT funds to ETH, and further used Tornado Cash to mix (anonymize) ~2,400 ETH (~$6.9 million at time of writing), while the stolen BNB and BUSD worth over $37 Million are still located in a contract created by the attacker on the Binance Smart Chain. These funds might prove much more difficult for the thief to fully cash out, as being part of the Binance ecosystem means these specific funds can likely be blacklisted from any kind of further exchange or interaction within the Binance ‘walled garden’. This is an important point worth being highlighted, one which should not be ignored or forgotten regardless of how this particular incident is resolved. Though it may wind up providing a kind of salvation for victims of this hack, the ability of a central party to interfere with the attacker(s), effectively blocking their desired crypto transactions speaks to just how ‘decentralized’ the Binance Smart Chain (BSC) actually is.
A more technical and detailed account of the Uranium finance exploit has been provided in the team’s latest medium post. The Uranium team acknowledges that though attribution for this attack is difficult, that it is quite possible, even likely, that this was an inside job.
“The exploit was made possible because during an update of the codebase for V2, we changed our swap fees from 0.20% to 0.16%, and this resulted in an unintended calculation that effected permitted swap fees. Those changes had the consequences to adapt the sanity checks of the balances, but one line wrongly stayed unchanged (in green), which lead to the possibility of an attacker draining the reserves. Literally a single 0 on a single line.”
“We also feel the need to state clearly to those that may think we should do a v3, that this will definitely not be happening. We will of course continue to help Binance and our users as much as we can via Telegram and if funds are secured will provide every assistance in the redistribution, but that is where Uranium ends. We will not be trying to make this project reborn again, doing so is not possible under these circumstances.”
According to Uranium Finance’s Telegram channel administrator “Baymax,” the bug which allowed the exploit was leveraged just two hours before version 2.1 of the protocol was launched. The suspicious timing of the exploit narrows down the list of potential perpetrators significantly. It is worth noting that this is an extremely young ‘DeFi’ protocol and there are no team members identified on the Uranium Finance official website. This makes investigation for victims especially challenging.
Baymax states: “There are a total of 7 people in Uranium who knew of the exploit. Outside of Uranium would be the 3 auditors contractors and their respective sub cons who may be aware of this flaw.”
“From the information that we gathered with the community input, it leans towards that someone leaked information that may have led to exploiters finding out about our vulnerabilities.”
This is yet another reminder of just how important good research can be, not to mention a bit of skepticism. The number of available DeFi instruments has grown so rapidly over the past many months, with the temptation of high-yield opportunities being dangled in front of largely inexperienced newcomers, all DeFi players should be on high alert. With this technology becoming more commonplace, and potential gains growing larger, participants can easily be overcome by greed and complacency, failing to thoroughly scrutinize the extreme levels of risk involved in a DeFi protocol where they once might have. The Uranium Finance DeFi protocol peaked at something like $80 Million in crypto assets, while the exploitable bug was still active and drastically underestimated in it’s potential severity. Remember to always exercise EXTRA caution in the crypto space, and never risk what you cannot afford to lose!