A Binance Smart Chain Uniswap clone, Uranium Finance, lost $50 million in tokens early Wednesday morning in an exploit.
The attacker took advantage of a vulnerability that has been present in Uraniumâs v2 contracts since the exchange upgraded over a week ago. After sending the minimum required tokens into Uraniumâs âpair contracts,â the attacker drained the liquidity pools for multiple token pairs; a misplaced zero in the contractâs balance field (or rather, the lack of one in a section that manages reserves) created the opening for the attack vector.
Out of the $50 million filched, pools for Binanceâs blockchain token (BNB) and its stablecoin (BUSD) each lost $18 million in funds. Ethereum and BTCB pools (Binance Chainâs version of âwrappedâ bitcoin) collectively lost around $9 million worth of tokens. An additional $6.7 million in USDT and $1.7 million in DOT, ADA and Uraniumâs own token also disappeared from other pools.Â
Post-hack, the BTCB has been swapped for real BTC, and the ETH is in an Ethereum mixer called Tornado Cash, according to The Block researcher Igor Igamberdiev.Â
Notably, per a past exploit on Binanceâs BSC blockchain, the BNB and BUSD could be recovered through a rollback, though Binance has made no announcements on the matter.
This vulnerability is present in all Uranium v2 pools. A Telegram pinned message by anonymous Uranium community member Baymax warns users to âSTOP adding liquidity ⦠and remove liquidity if you canâ because the exploit still leaves millions of dollars in tokens at risk in these v2 contracts.
Baymax advises users to migrate to the v2.1 contracts, which include a fix for the vulnerability. Notably, the attack came two hours before v2.1 went live, even though the exploit had been open since Uraniumâs last upgrade to v2 just over a week ago.
âAs you all know, we commissioned an audit, and among the finding was an issue of low severity. Devs dug deeper and found an issue that had the whole farm at risk,â Baymaxâs pinned message reads.Â
âThere are a total of 7 people in Uranium who knew of the exploit. Outside of Uranium would be the 3 auditors contractors and their respective sub cons who may be aware of this flaw,â it reads farther down. Later in the message, Baymax hypothesizes that âsomeone leaked informationâ that lead to the attacker exploiting the vulnerability.
Baymax did not respond to follow-up questions regarding the auditor of Uraniumâs code.
Baymax also denied any involvement with Uranium beyond being a âcommunity memberâ when speaking with CoinDesk. No other âcommunity members,â whether part of Uraniumâs core team or otherwise, responded by press time.
