A Binance Smart Chain Uniswap clone, Uranium Finance, lost $50 million in tokens early Wednesday morning in an exploit.
The attacker took advantage of a vulnerability that has been present in Uranium’s v2 contracts since the exchange upgraded over a week ago. After sending the minimum required tokens into Uranium’s “pair contracts,” the attacker drained the liquidity pools for multiple token pairs; a misplaced zero in the contract’s balance field (or rather, the lack of one in a section that manages reserves) created the opening for the attack vector.
Out of the $50 million filched, pools for Binance’s blockchain token (BNB) and its stablecoin (BUSD) each lost $18 million in funds. Ethereum and BTCB pools (Binance Chain’s version of “wrapped” bitcoin) collectively lost around $9 million worth of tokens. An additional $6.7 million in USDT and $1.7 million in DOT, ADA and Uranium’s own token also disappeared from other pools.
Post-hack, the BTCB has been swapped for real BTC, and the ETH is in an Ethereum mixer called Tornado Cash, according to The Block researcher Igor Igamberdiev.
This vulnerability is present in all Uranium v2 pools. A Telegram pinned message by anonymous Uranium community member Baymax warns users to “STOP adding liquidity … and remove liquidity if you can” because the exploit still leaves millions of dollars in tokens at risk in these v2 contracts.
Baymax advises users to migrate to the v2.1 contracts, which include a fix for the vulnerability. Notably, the attack came two hours before v2.1 went live, even though the exploit had been open since Uranium’s last upgrade to v2 just over a week ago.
“As you all know, we commissioned an audit, and among the finding was an issue of low severity. Devs dug deeper and found an issue that had the whole farm at risk,” Baymax’s pinned message reads.
“There are a total of 7 people in Uranium who knew of the exploit. Outside of Uranium would be the 3 auditors contractors and their respective sub cons who may be aware of this flaw,” it reads farther down. Later in the message, Baymax hypothesizes that “someone leaked information” that lead to the attacker exploiting the vulnerability.
Baymax did not respond to follow-up questions regarding the auditor of Uranium’s code.
Baymax also denied any involvement with Uranium beyond being a “community member” when speaking with CoinDesk. No other “community members,” whether part of Uranium’s core team or otherwise, responded by press time.