Binance Smart Chain’s bEarn Fi exploited and drained of $11 million

The bEarn Fi, a decentralized finance (DeFi) cross-chain auto yield farming protocol built on Binance Smart Chain, was exploited on Sunday, losing almost $11 million, according to blockchain analysis firm PeckShield.

On its official Twitter account, bEarn Fi advised its users that they have “temporarily paused withdrawals and deposits” for all of their bVaults in light of the investigation on the Alpaca Vault incident where the latest DeFi protocol exploit happened.

The post of bEarn Fi was also to address the observed significant increase in their users’ Binance USD deposits, which was part of the ploy of the cyber attacker(s).

Exploit detailed

At 10:36:20 AM +UTC, May 16, the BvaultsBank contract of bEarn Fi was exploited thru a bug in its internal withdraw logic, inconsistently reading the same input amount but with different assets denomination between it and the Bvaults Strategy.

The Bvaults Bank’s withdrawal logic assumed the withdrawn amount was in Binance USD while the Bvaults Strategy’s withdrawal logic assumed the withdrawal was in ibBUSD – an interest-bearing token more expensive than Binance USD.

This implied that a withdrawal request for 100 BUSD actually leads to a withdrawal of 100 ibBUSD, ultimately resulting in the Bvaults Bank contract being drained of funds amounting to about $11 million.

Users became restless

The bEarn Fi’s Telegram group has been bombarded with questions from their users, expressing concerns about their funds, asking if there is something wrong with its Binance USD vault. One user cited the observed increase in their BUSD deposits, describing it “impossible.”

A team member of bEarn Fi replied to numerous queries, saying they are working on it. Earlier, the protocol has already assured they are conducting an investigation to determine how the attack was carried out and who might be behind it.

Earlier this month, Spartan Protocol, another DeFi project on Binance Smart Contract, was also attacked, resulting in a loss of more than $30 million.


Image courtesy of Cointelegraph News/YouTube

Micky is a news site and does not provide trading, investing, or other financial advice. By using this website, you affirm that you have read and agree to abide by our Terms and Conditions.
Micky readers - you can get a 10% discount on trading fees on FTX and Binance when you sign up using the links above.