TronWeekly

Crypto World News

You are here: Home / Archives for flash loan

flash loan

Binance Smart Chain believes hackers are specifically targeting it following back-to-back DeFi exploits.

by

Binance Smart Chain believes hackers are specifically targeting it following back-to-back DeFi exploits.

Several defi protocols built on top of Binance Smart Chain [BSC] decentralized finance ecosystem have suffered one after another hacks and exploits in a short period of time that has stemmed especially this past month. The platform believes that the recent flash loan hacks were orchestrated against BSC specifically.

The platform said on the 30th of May,

“There are >8 flashloan hacks recently, we believe, an well organized hackers are targeting Binance Smart Chain now. It is very challenging time for the BSC community.”

In a series of tweets, Binance Smart Chain also went on to urge the team behind the decentralized applications [DApps] to work with their audit companies to do another health check.

It also asked the cloned and forked defi projects, to “double and triple check” the changes from the original version and employ necessary risk control measures to actively identify any peculiar activities in a real-time manner and halt the protocol if any such strange activity indeed occurs.

Binance Smart Chain’s Rise to Fame

Since its inception last September, BSC saw tremendous success. The activity on Binance Chain’s parallel blockchain has dramatically soared as it continued to make headlines as one of the more viable rivals to the Ethereum network which was riddled with scalability issues.

However, as BSC rose to popularity, so are the bad actors that have breached various protocols and managed to siphon off with billions in crypto.

Binance had recently stated that it was not responsible for exploits on BSC protocols. Samy Karim, who happens to be the coordinator of business and ecosystem development at the cryptocurrency exchange, had earlier stated that Binance Smart Chain is a public permissionless infrastructure that enables anyone to deploy. He went on to add,

“You have malicious actors there and hacks, and exploits in defi are not new and definitely not unique to BSC.”

In another related news, BSC had added the blockchain analytics and cryptocurrency intelligence company, CipherTrace for the purpose of tracking illicit transactions.

Binance Smart Chain DeFi PancakeBunny Suffers Flash Loan Exploit

by

Another day, another flash loan attack on a defi protocol.

A Binance Smart Chain [BSC] decentralized finance [defi] yield optimizer project called PancakeBunny, has supposedly suffered an “economic exploit”. According to the PancakeBunny team’s official post on Twitter, the protocol was subjected to a flash loan attack from an external actor.

However, the platform clarified that none of the vaults on the platform were compromised.

“We would like to remind the community that no vaults have been compromised. The exploit was an economic exploit that attacked the price of BUNNY, using flash loans. We repeat, no vaults have been breached.”

The malicious entity reportedly borrowed “a huge amount” of Binance Coin [BNB] on DEX Pancakeswap and went on to manipulate the price of USDT/BNB as well as BUNNY/BNB. Subsequently, the hacker dumped all of the acquired BUNNY in the market which led to the crash in the token’s price.

PancakeBunny rebuffed reports that claimed that the attacker siphoned off with $1 billion worth of tokens but has not revealed the actual figures yet. According to calculations, the exploit drained over $200 million from the yield platform’s smart contracts. However, the blockchain security firm Certik said that the losses were around $40 million. Its tweet regarding the same read,

“An alert was published at Certik over an incident on PancakeBunny, which suffered from a FlashLoan attack and resulted in a loss of ~$40M (114K WBNB & 697K BUNNY). An illustration of exploited asset movements is presented & we are actively monitoring further TXs.”

Certick

Further making the situation worse, the hacker left a rabbit-related pun as a note after the execution of the transaction that read “Aren’t Flashloans Earitating”

Notably, the BSC-based defi project is led by Mound, a startup that secured $1.6 million from the exchange’s venture capital and incubator arm, Binance Labs recently.

DeFi Token, BUNNY Free Falls

chart

The native token, BUNNY was trading above $230 before the incident. However, it slashed its gains by more than 80% over the past 24-hours and was currently trading at $31.48, according to CoinGecko.

Binance Smart Chain’s DeFi Project Losses Over $30M In Flash Loan Exploit

by

A DeFi project Spartan Protocol’s contract suffered an exploit that led to loss of more than $30 million in funds. The incident reportedly originated due to a flawed liquidity share calculation in the protocol, that resulted in the drainage of assets from the pool.

In the post-mortem blog post, the security firm PeckShield detailed,

“In particular, the specific hack inflates the asset balance of the pool before burning the same amount of pool tokens to claim an unnecessarily large amount of underlying assets. The consequence of this attack results in more than $30M loss from the affected pool.”

The decentralized protocol [DeFi] was built on Binance Smart Chain for incentivized liquidity and synthetic assets. While first reporting the incident Spartan had revealed that the malicious entity used $61 million in Binance’s native token BNB to control the pools via an unknown economic exploit path to remove almost $3 million in funds from the pools.

According to the post-mortem report, the flash loan was taken on BSC’s popular DEX PancakeSwap for 100,000 wrapped BNB [wBNB]. This amount was to be paid back at the last step with 260 wBNB as the flash loan fee. However, the hacker allegedly swapped the wrapped BNB to Spartan’s native token – SPARTA five times via this exploited pool of the protocol. It swapped wBNB to SPARTAN an additional ten times through the same pool.

After inflating the asset balance in the pool, tokens were burnt to withdraw the liquidity. This process was repeated until the flash loan of 100,260 wBNB was returned and the hacker drained more than $30 million from the DeFi protocol.

DeFi Flash Loan Attacks One After Another

Rekt, which posted another assessment of the incident, also stated that Spartan’s latest exploit with $30 million funds drained is the sixth biggest incursion on its leaderboard.

This news comes jist days after the attackers of yet another Binance Smart Chain’s DeFi exchange Uranium Finance siphoned off with more than $57 million in exploit from a similar attack. In April 20th, layer two protocol EASYFI lost around $59 million.

Another DeFi Protocol Loses $7 Million In Flash Loan Exploit

by

Malicious actors are increasingly leveraging flash loans to fund attacks on decentralized finance [DeFi] protocols. Another one is biting the dust. This time, the Origin Protocol’s yield-generating stablecoin protocol, OUSD, was attacked and drained by nearly $7 million, of which $1 million was deposited by the company’s founders and employees.

After tracing the movement of the funds, the Founder of Origin Protocol Matthew Liu revealed that the attacker used both Tornado Cash and renBTC to wash and move funds. Additionally, there was still 7,137 ETH and 2.249 million DAI sitting in one of the attacker’s wallets.

Nature of the Attack

The exec explained,

“The attack was a reentrancy bug in our contract. Unfortunately, our contract was safe from reentrancy bugs unless one of our supported stablecoins was attacking us.”

Reentrancy attacks are known to be the most devastating attacks when developing smart contracts. They are devastating for two reasons: they can completely drain a smart contract of its funds, and they can sneak their way into the code if the developers are not careful.

In the case of OUSD, the entity reportedly exploited a missing validation check in mint multiple (when minting OUSD with multiple stablecoins) to pass in a fake “stablecoin” under their control. This “stablecoin” was then called “transferFrom” on by the vault. This essentially allowed the attacker to exploit the contract with a “reentrancy attack” in the middle of the mint.

As a response to the attack, Liu reminded the users not to buy OUSD on Uniswap or Sushiswap as the current prices do not reflect OUSD’s underlying assets.

Here’s what prominent DeFi influencer Autism Capital had to say about the entire fiasco:

 

Em8HlxjXMAABsvO scaled

Of late, flash loans have become one of the most popular as well as powerful new liquidity mechanisms that have recently emerged in the decentralized finance [DeFi] ecosystem.

Origin’s breach is the fifth major flash loan attack to hit the DeFi ecosystem in the past three weeks, after security breaches targeting platforms such as Harvest, Akropolis, Value, and CheeseBank. Additionally, it is the tenth DeFi platform to have been exploited in terms of year to date.