We may never know the true nature of what happened with the code exploit of Uranium.Finance, a fork of Uniswap AMM built on the Binance Smart Chain (BSC). There isn’t enough convincing story from both the team or speculators as to what truly happened. Each party seems to have a different theory; however, there was yet another rugpull.

What Happened?

The announcement from Uranium Finance shocked the Crypto Twitter community by

An exploit has just been announced; the  V 2.0 code was exploited by an attacker who transferred $50 million away from the LP funds into a swapping platform and specific wallets. The exploiter swapped for BTC, ETH, and DOT coin.

Appearing on the Binance Community Blog, transaction details of what took place are below;

As of yesterday, $50m has been drained from the uranium.finance farms.

BSC uranium.finance

Uraniam Finance Token Contract

Migration TX

50M USD LP migration at 3.00 UTC 28/04/21

Money Stolen

-Tx 1

-Tx 2

Bridge Via Anyswap

To ETH Wallet

And BTC wallet

More Detailed Events and the Likely Occurrence

Following the “hack” incident and the Tweet from Uranium, a Twitter user named Igor Igamberdiev, who went by the handle @frankresearcher, gave a more detailed analysis of what may have happened and the likely occurrence in his well-detailed thread:cdn.embedly.com/widgets/media.html?type=text%2Fhtml&key=96f1f04c5f4143bcb0f2e68c87d65feb&schema=twitter&url=https%3A//twitter.com/frankresearcher/status/1387347052590354433&image=https%3A//abs.twimg.com/errors/logo46x38.png

Here is the break down of the funds stolen/hacked;

  • 34k WBNB ($18M)
  • 17.9M BUSD ($17.9M)
  • 1.8k ETH ($4.7M)
  • 80 BTC ($4.3M)
  • 26.5k DOT ($0.8M)
  • 638k ADA ($0.8M)
  • 5.7M USDT ($5.7M)
  • 112k U92
BUSD and BNB remaining on the Contract since its problematic to cash out

 The hacker used PancakeSwap service to swap DOT and ADA to ETH. The attacker withdrew 2,438 ETH via Anyswap to Ethereum and 80 BTC after that. After, $1 Million USDT and $99k DAI (bought with USDT) then went to xDAI.

Transactions made from the contract which shows the movement of funds outwards

How was the Exploit Done?

Following the detailed analysis of FrankResearcher under his thread, the pair contracts in the v2 had a bug. Anyone could interact and withdraw almost all tokens due to a calculation error. 

The bugged codes from FrankResearcher

The balances of pair contracts during sanity checks were a hundred times larger than the real ones. Before interacting with Uranium, the attacker sent the minimum amount of each token to pair contracts. After that, they used a low-level function swap() whose execution should drain both reserves.

This is surprising because the Uranium team made a migration ten days ago, and the old version didn’t have the bug. The team then identified a bug in the new version, which resulted in version 2.1, and the LP migration was supposed to be today.

Is this a Hack or a Rugpull Event?

From the well-detailed thread of FrankResearcher, and the many Tweets replies under the thread citing some suspicious activities of the team before the unfortunate event,e.g. The general feeling is that this may not be the case of a hack; rather, this may be a soft rugpull event done by the team to jeopardize users’ funds. While the community carries this sentiment it is impossible to know who the malicious user was.

Source : bsc.news

Leave a Reply

Your email address will not be published. Required fields are marked *