This attack bEarn exploit resulted in a loss of approximately $11 million which was immediately met with an assurance that victims will be compensated.

BUSD Alpaca Strategy Exploit

It was just weeks ago when Spartan Protocol was exploited and $30 million was drained from its liquidity pool. Now, another DeFi protocol on the Binance Smart Chain became a victim of a weakness that exists in the withdraw function. In an address to its community members on medium.com, bEarn Fi gave further clarification how the exploit took place and the extent of the breach. It was a prompt response. A total of 26 attacking transactions capitalising on this weakness took place causing losses amounting to $10.86 million. 

Use of Flash Loans 

The attacker through Cream Finance took a flash loan amounting to $7.8 million BUSD and interacted with the smart contract on bVaults through numerous deposits and withdrawals. Flash loans are uncollateralized loans that interact through smart contracts and repayment must be made before the transaction ends. The final withdrawal of $8.26 million BUSD was made and the flash loan was repaid. bEarn Fi concedes that the exploitation took place because withdrawal from the FairLaunch contract was passed with BUSD instead of ibBUSD. Immediate steps were taken to freeze its bVaults to prevent further losses.  

Remedial Action 

Exploits like this are tragic and often cause the loss of confidence in the integrity of the code and the entire ecosystem. However, the remedial action to remain accountable to its community carries a lot of weight. Steps were taken to block the fund transfer from the perpetrator’s address, auditors were engaged to analyse the breach and interactions with all bVaults were frozen as a precautionary step to preserve all remaining funds. A snapshot was taken of the balance by the liquidity providers for the team to carve out a compensation plan. The compensation plan are as follows:

87.5% of initial deposit amount in BUSD (immediately)

10% of initial deposit amount in BDEX (vesting token in 80 weeks, same as the core team)

7.5% of initial deposit amount in BDOv2 (immediately)

Innovation vs Security 

DeFi as an innovative solution to the existing financial products is appealing. Being relatively new, weaknesses do exist. In the past, we have seen numerous exploits specifically targeting DeFi protocols. A comprehensive and reliable compensation plan must be in place for any projects to be accountable to its community. This of course will invariably lead to an increased cost, but it is necessary to bolster the hazards of such oversights. The growth in the community vests heavily on the confidence of its members and events like these are challenges that will make or break the project. One good example is the Paid Network breach in early March, 2021. The PAID token took a 76% dive but has since recovered by taking accountability and ownership for the exploit.     

Moving Forward

Weaknesses in protocols, implementations or process flows can be difficult to detect. Therefore, the security due diligence/audit is indispensable in all projects. bEarn Fi won’t be the last to suffer such clandestine attacks. The takeaway that any participant in the DeFi ecosystem can garner from this incident is the importance of a credible protocol audit by a reputable party and if all else fails, there is the assurance of a comprehensive compensation plan. 

Source : bsc.news