More flash loan attacks on DeFi protocols on the BSC
juin 01 2021

More flash loan attacks on DeFi protocols on the BSC

Flash loan attacks are intensifying on Binance Smart Chain, with two more DeFi protocol suffering exploits over the weekend – BurgerSwap and BeltFinance.

BurgerSwap, a DEX on Binance Smart Chain (BSC), fell victim to a flash loan attack on May 28. The equivalent of $7.2 M as stolen in 14 transactions:

The hacker(s) created their own « fake coin » (non-standard BEP20 token), used it to form a trading pair with the platform’s BURGER token, and, manipulating the reserves in the pair’s contract, caused the price to change.

The attacker then took a flash loan in BNB from PancakeSwap, another BSC-based DEX, and swapped the funds for BURGER tokens.

After that, they added “fake tokens” and BURGER to liquidity pools and used it to exchange the “fake tokens” for BNB, ETH, USDT and some other coins.

Soon after, BurgerSwap team announced having fixed the bug that allowed this exploit and set up a compensation plan.

On May 30 it was an AMM protocol BeltFinance, also built on BSC, that suffered a similar attack.

“The attacker created a smart contract that used PancakeSwap for flash loans and exploited our beltBUSD pool and its underlying strategy protocols and then proceeded to execute the contract 8 times for a total profit of 6,234,753 BUSD,” commented the team.

BeltFinance has since announced having identified and patched the exploit, as well as set up a compensation plan.

Binance highligthed the importance of security audit for the platforms’ code, a contingency plan and a bounty program to avoid such hacks. However, the general feeling towards BSC itself is becoming more distrustful, as several developers noted technical difficulties, notably that “the network is constantly forking incontrollably”. It’s unclear if these difficulties have anything to do with the increased hacker attacks though.