Binance Smart Chain Faces Another Exploit, Impossible Finance Loses $500K in Funds

Another flash loan exploit has visited Binance Smart Chain as attackers find that exploiting Impossible Finance is in fact easily possible.

Flash Loans Linger On

The DeFi platform Impossible Finance has lost $500,000 of investor money in a flash loan exploit. The attack took place just after 4:40 AM UTC on June 21st, with the protocol losing 229.84 ETH. The attack exploited the same vulnerability which saw BurgerSwap lose $7.2 million in May.

Such was the similarity between the two attacks it caused one commentator to mistakenly believe that Impossible Finance was a fork of BurgerSwap. 

Mudit Gupta, core developer at SushiSwap, took to Twitter following the exploit to ask, “If the original project gets hacked, why don’t the forks react?” 

This was before going on to correct himself, “Apparently, Impossible Finance was not a fork of burger swap. Yet, they shared the same vulnerability and got exploited in the same way.”

Fork or no fork, users will be asking why similar attack vectors are providing so successful for malicious actors again and again. 

What Impossible Finance is telling its community

Familiar Hunting Grounds

Binance Smart Chain is becoming a familiar hunting ground for attackers seeking to exploit flash loan vulnerabilities. The fact that Impossible Finance was exploited in the same manner as the highly publicized BurgerSwap attack just last month, serves to underline the ease with which attackers are now pocketing investor funds. Following a wave of similar exploits, users will rightly question whether the success of further attacks should be attributed to extreme negligence on the part of developers, or something more worrying still.

An analysis of the Impossible Finance vulnerability backs the claims of Mudit Gupta. As Medium blog of the security watchdog “Watch Pug” explains, an edit to the code of Impossible Finance made an exploit which should otherwise have been impossible, possible. 

Watch Pug states: “The original Uniswap LP contract includes an important check that enforces x*y=k. It’s missing in the cheapSwap() function. With the K check missing, the impossible is now possible.”

With the line of code which was present in the Uniswap code removed, a weakness in the security of the system was created. Compare this with the analysis of SushiSwap developer, Mudit Gupta, when he explained the BurgerSwap vulnerability just the previous month:

“The swap function is supposed to verify x*y >= k which basically verifies that the contract got enough input tokens required to do the swap.”

The only difference between the two analyses is that Mudit Gupta includes the greater than symbol (>) as well as the equals (=) symbol in his equation. The point remains the same however; the x*y figure should not be less than k. In both the BurgerSwap and Impossible Finance exploits it was, and users lost out. While the exploit of Impossible Finance was far smaller than the one perpetrated on BurgerSwap, it also came a month later after the weakness was widely publicized and covered by multiple crypto outlets including bsc.news.

Resolving Matters

Impossible Finance has now released their side of the story and how they intend to resolve the matter with their community.

Impossible Finance went on the record to state, “The truth is that although our swap was attacked due to the missing x*y=k condition, leaving that line out was an intentional design decision, in conjunction with several safety measures that we took that ultimately were not sufficient.”

The attack in code

Impossible Finance went on to explain the reasons for leaving out this particular condition, such as the reduction of gas fees. Following the attack the company has decided to reimplement it. The company is also introducing a number of other safety features to the platform including the whitelisting of tokens.

The company has gone on record to state that, “All users who deposited into liquidity pools (“LPs”) prior to the attack will be 100% compensated.”

Source : bsc.news

Leave a Reply

Your email address will not be published.

en_USEnglish