The bEarn Fi, a decentralized finance (DeFi) cross-chain auto yield farming protocol built on Binance Smart Chain, was exploited on Sunday, losing almost $11 million, according to blockchain analysis firm PeckShield.
On its official Twitter account, bEarn Fi advised its users that they have “temporarily paused withdrawals and deposits” for all of their bVaults in light of the investigation on the Alpaca Vault incident where the latest DeFi protocol exploit happened.
The post of bEarn Fi was also to address the observed significant increase in their users’ Binance USD deposits, which was part of the ploy of the cyber attacker(s).
At 10:36:20 AM +UTC, May 16, the BvaultsBank contract of bEarn Fi was exploited thru a bug in its internal withdraw logic, inconsistently reading the same input amount but with different assets denomination between it and the Bvaults Strategy.
The Bvaults Bank’s withdrawal logic assumed the withdrawn amount was in Binance USD while the Bvaults Strategy’s withdrawal logic assumed the withdrawal was in ibBUSD – an interest-bearing token more expensive than Binance USD.
This implied that a withdrawal request for 100 BUSD actually leads to a withdrawal of 100 ibBUSD, ultimately resulting in the Bvaults Bank contract being drained of funds amounting to about $11 million.
Users became restless
The bEarn Fi’s Telegram group has been bombarded with questions from their users, expressing concerns about their funds, asking if there is something wrong with its Binance USD vault. One user cited the observed increase in their BUSD deposits, describing it “impossible.”
A team member of bEarn Fi replied to numerous queries, saying they are working on it. Earlier, the protocol has already assured they are conducting an investigation to determine how the attack was carried out and who might be behind it.
Earlier this month, Spartan Protocol, another DeFi project on Binance Smart Contract, was also attacked, resulting in a loss of more than $30 million.
Image courtesy of Cointelegraph News/YouTube