Key Takeaways
- BurgerSwap was hit by a flash loan attack last night. The losses amount to roughly $7.2 million.
- Uniswap founder Hayden Adams noted that a key part of the code was changed by the BurgerSwap team, raising suspicions of an inside job.
- Incidents on Binance Smart Chain have multiplied in recent weeks resulting in tens of millions in lost user funds.
Another Binance Smart Chain app has suffered a flash loan attack. More than $7 million of users’ funds was drained from BurgerSwap last night.
BurgerSwap Suffers Attack
Flash loan attackers are increasingly targeting Binance Smart Chain applications. This time, it was Uniswap clone BurgerSwap that got exploited. Last night, an attacker borrowed funds from PancakeSwap to unbalance the liquidity pools on BurgerSwapm then emptied them before returning the loan.
BurgerSwap posted a breakdown of the incident on Twitter earlier this morning.
1/9
BurgerSwap Flash Loan Attack Details:
At around 3 am on May 28th (UTC+8) #BurgerSwap on the BSC chain encountered a flash loan attack; $7.2M was stolen from #BurgerSwap in 14 transactions;
— BurgerSwap (@burger_swap) May 28, 2021
The attack was worth roughly $7.2 million. Some of the funds are now on the Ethereum blockchain, while some BURGER tokens have been left on Binance Smart Chain. BurgerSwap is one of Binance Smart Chain’s leading applications. It was launched last year and has similar code to Uniswap’s V2. However, as Uniswap founder Hayden Adams noted, BurgerSwap’s code misses out a crucial line responsible for securing its liquidity pools. Adams reacted to the attack by noting that the pools were very susceptible to this type of flash loan attack without the line of code before adding “iWoNDerWhYTHeyDiDtHAt.”
This thread sounds complicated. Here’s what happened very simply.
Uniswap v2 fork removed the only line that enforces x*y=k from core:
So core could very trivially be drained.
This is the line that was removed:https://t.co/iN3nc1xMTm
iWoNDerWhYTHeyDiDtHAt https://t.co/B9TN3KP25U
— Hayden Adams 🦄 (@haydenzadams) May 28, 2021
Many Binance Smart Chain projects have suffered exploits recently, and suspicions of inside jobs have been running high. In some examples, such as the case of Uranium Finance, key parts of the code used by other projects have been omitted or changed. Both Uranium Finance and BurgerSwap are run by anonymous teams, which would reduce the accountability in the event of an inside job.
Meerkat Finance, a copy of Yearn Finance, suffered a suspected rug pull worth $30 million. Last week, Bunny Finance was exploited by a flash loan attack, leading the price of the BUNNY governance token to drop by 96%.
This year alone, the total losses from attacks on Binance Smart Chain projects are now comfortably in the tens of millions of dollars.
Disclaimer: The author held BTC, ETH, and several other cryptocurrencies at the time of writing.