Twice in a row this April for the Binance project.
Uranium Finance becomes the latest project on the Binance Smart Chain network to be compromised and hijacked.
This, after the automated market maker (AMM) platform reported a security breach that resulted in the loss of around $50 million.
According to a tweet from Uranium Finance, their v2.1 token migration event was exploited. The still-to-be-identified hacker somehow took advantage of bugs in the balance modifier logic, inflating the project’s balance by a factor of 100.
This error allowed the attacker to steal the amount from the project. At one point after the discovery of the incident, the contract created by the suspect still has $36.8 million in Binance Coin (BNB) and Binance USD (BUSD).
The aftermath of the hijack
The funds stolen include 80 Bitcoin (BTC), 1,800 Ethereum (ETH), 26,500 Polkadot (DOT), 5.7 million Tether (USDT), 638,000 Cardano (ADA) and 112,000 U92, the native coin of Uranium Finance.
The attacker then, according to BScScan, swapped the ADA and DOT tokens for ETH, increasing its count to 2,400 ETH.
The unknown entity who masterminded the theft already moved 2,400 ETH (about $5.7 million) using the privacy tool Tornado Cash via 100 ETH sums, with cross-chain decentralized exchange bridge AnySwap being used to transfer funds from BSC to the Ethereum network.
Actions taken
Uranium Finance has already reached out to the Binance security team to stop the hacker’s attempt to move more funds out of the BSC network.
The bug that was exploited was not yet patched, and so users have been advised to cease giving liquidity on the project and cash out their funds.
The team from the project has also created a Telegram group for those victimized by the hack as it promised to give updates on the progress of the attempts to get back the funds that have been taken away.
This attack is the second for the Uranium project this April, the first being the exploit of hackers in the platform’s pools to steal around $1.3 million worth of BUSD and BNB.
Image courtesy of Cointelegraph News/YouTube