We may never know the true nature of what happened with the code exploit of Uranium.Finance, a fork of Uniswap AMM built on the Binance Smart Chain (BSC). There isn’t enough convincing story from both the team or speculators as to what truly happened. Each party seems to have a different theory; however, there was yet another rugpull.
What Happened?
The announcement from Uranium Finance shocked the Crypto Twitter community by
An exploit has just been announced; the V 2.0 code was exploited by an attacker who transferred $50 million away from the LP funds into a swapping platform and specific wallets. The exploiter swapped for BTC, ETH, and DOT coin.
Appearing on the Binance Community Blog, transaction details of what took place are below;
As of yesterday, $50m has been drained from the uranium.finance farms.
BSC uranium.finance
Uraniam Finance Token Contract
50M USD LP migration at 3.00 UTC 28/04/21
Money Stolen
More Detailed Events and the Likely Occurrence
Following the “hack” incident and the Tweet from Uranium, a Twitter user named Igor Igamberdiev, who went by the handle @frankresearcher, gave a more detailed analysis of what may have happened and the likely occurrence in his well-detailed thread:cdn.embedly.com/widgets/media.html?type=text%2Fhtml&key=96f1f04c5f4143bcb0f2e68c87d65feb&schema=twitter&url=https%3A//twitter.com/frankresearcher/status/1387347052590354433&image=https%3A//abs.twimg.com/errors/logo46x38.png
Here is the break down of the funds stolen/hacked;
- 34k WBNB ($18M)
- 17.9M BUSD ($17.9M)
- 1.8k ETH ($4.7M)
- 80 BTC ($4.3M)
- 26.5k DOT ($0.8M)
- 638k ADA ($0.8M)
- 5.7M USDT ($5.7M)
- 112k U92
The hacker used PancakeSwap service to swap DOT and ADA to ETH. The attacker withdrew 2,438 ETH via Anyswap to Ethereum and 80 BTC after that. After, $1 Million USDT and $99k DAI (bought with USDT) then went to xDAI.
How was the Exploit Done?
Following the detailed analysis of FrankResearcher under his thread, the pair contracts in the v2 had a bug. Anyone could interact and withdraw almost all tokens due to a calculation error.
The balances of pair contracts during sanity checks were a hundred times larger than the real ones. Before interacting with Uranium, the attacker sent the minimum amount of each token to pair contracts. After that, they used a low-level function swap() whose execution should drain both reserves.
This is surprising because the Uranium team made a migration ten days ago, and the old version didn’t have the bug. The team then identified a bug in the new version, which resulted in version 2.1, and the LP migration was supposed to be today.
Is this a Hack or a Rugpull Event?
From the well-detailed thread of FrankResearcher, and the many Tweets replies under the thread citing some suspicious activities of the team before the unfortunate event,e.g. The general feeling is that this may not be the case of a hack; rather, this may be a soft rugpull event done by the team to jeopardize users’ funds. While the community carries this sentiment it is impossible to know who the malicious user was.
Source : bsc.news
Founded in 2020, BSCNews is the leading media platform covering decentralized finance (DeFi) on the Binance Smart Chain (BSC). We cover a wide range of blockchain news revolving mainly around the DeFi sector of the crypto markets. BSCNews aims to inform, educate and share information with the global investment community through our website, social media, newsletters, podcasts, research, and live ask me anything (AMA). Our content reaches hundreds of thousands of global investors who are active in the BSC DeFi space.
BSC NEWS is a private news network. All posts posted by this user belong 100% to bsc.news All rights are reserved to BSC NEWS for more information about BSC NEWS contact BSC NEWS HERE.