פרויקט DeFi Uranium Finance הפסיד 50 מיליון דולר במטבעות קריפטוגרפיים
The developers of Uranium Finance, part of the Binance Smart Chain, were hacked on the night of April 28, losing about 50 million in cryptocurrencies. After that, they had to postpone the previously planned migration of assets of liquidity providers. Prior to the incident, the team intended to migrate them to an improved version of the protocol.
According to the developers of the team, the problem surfaced just during the transition to the V2.1 protocol. While the details of the incident are not entirely clear, it appears that the error occurred in the V2 pairing contracts. An exploit in the modifier's logic allowed the hacker to increase the balance by 100 times, thanks to which he quickly gained access to clients' money.
The news immediately hit Twitter, after which one of the users pointed out a bug in the code used by the Uranium developers. According to him, due to the change in the value from 1,000 to 10,000, it turned out that 1 wei of the incoming token became possible to change to 98% of the total balance of the outgoing one.
The developers, noticing the problem, immediately tried to ask the community for help with feedback from the Binance exchange, so that they stop transactions while the tokens were still on the Binance Smart Chain. However, the attacker managed to exchange DOT and ADA tokens for ETH using the PancakeSwap platform and withdraw more than $6.5 million using the Tornado Cash cryptocurrency mixer. One of the Twitter accounts tracked his activity and provided screenshots with the history of withdrawing money in the Ethereum equivalent. That being said, the hacker also quickly withdrew 80 BTC via AnySwap.
Among the losses of Uranium Finance:
- 80 BTC;
- 1800 ETH;
- 17.9 million BUSD;
- 5.7 million USDT;
- 638,000 ADA;
- 26,500 DOT;
- 112,000 U92 (Uranium's own tokens).
As a result of the incident, an investigation was launched to reimburse users for their losses, and the Uranium contracts repository is now marked on Github as remote. Developers asked customers to withdraw their money and formed a special channel in Telegram to promptly monitor information about the hacking.