DeFi Project Uranium Finance Loses $50 Million to Hackers
Uranium Finance has become the latest decentralized finance (DeFi) project on the Binance Smart Chain (BSC) network to suffer a hack, with the protocol losing about $50 million.
$50 Million Drained from Uranium Finance
Uranium Finance announced the news of the hack via its official Twitter handle on Wednesday (April 28, 2021). According to the DeFi project, the exploit occurred during the platform’s migration to its v2.1 version upgrade.
Uranium is an automated market maker (AMM) platform that claims to give its users daily dividends. An analysis of the incident by research analyst Igor Igamberdiev via a tweet thread, indicated that the attacker was able to take advantage of a bug found in the pair contracts in the protocol’s v2 version. With the error, Uranium’s balances of pair contracts were inflated 100 times more than normal.
As a result, the hacker drained the protocol of about $50 million. The individual(s) behind the theft reportedly moved over 2,400 ETH ($6.4 million), using Tornado cash, an Ethereum privacy tool.
Details from BscScan show that the attacker’s contract still holds 34,000 WBNB and 17.9 million BUSD (both worth a little over $37 million). Other stolen funds include 26,500 Polkadot (DOT), 80 Bitcoin (BTC), 1,800 Ether (ETH), 5.7 million Tether (USDT), 638,000 Cardano (ADA), and 112,000 u92.
Meanwhile, Uranium has asked users to report the stolen funds using their Binance account.
“If you have a binance account please log in and immediately report stolen funds with this address, they have a mechanism for this as well.”
In a message posted by one of the admins in the Telegram group page, they knew about the vulnerability that made them upgrade to v2.1, but the attacker carried out the exploit two hours before the migration could happen.
Also, the project said that it was working with the Binance security team to prevent the hacker from stealing more funds. Uranium also said it was ready to negotiate a deal with individuals who were in possession of the funds or knew the mastermind behind the theft before things went out of hand.
However, users were displeased with the incident, with some noting that it was the second time such an exploit happened. Indeed, Uranium suffered a similar incident earlier in April, with the attacker stealing $1.3 million worth of BNB and BUSD. There are speculations that the latest incident could be an insider job or a rug pull.