BurgerSwap has announced via Twitter on May 28, 2021, that bad actors have successfully exploited a loophole in its protocol, stealing a massive $7.2 million worth of various tokens, including BUSD, ETH. BURGER and a host of others.
Another BSC Protocol Goes Down
In a rather unfortunate development for Changpeng Zhao’s Binance Smart Chain (BSC) and the entire decentralized finance (DeFi) ecosystem, bad actors have successfully orchestrated a flash loan attack on BurgerSwap, carting away over $7 million of users’ funds.
According to a tweet by the team, a detailed report on the ugly incident will be published shortly, however, the token swapping and liquidity mining operations on the network have been suspended until a solution is found.
In a separate tweet, the team explained that the flash loan attack took place at around 3 AM (UTC+8) on May 28, 2021, as the hackers exploited a reentrancy loophole in the protocol.
“At around 3 am on May 28th (UTC+8) #BurgerSwap on the BSC chain encountered a flash loan attack; $7.2M was stolen from #BurgerSwap in 14 transactions,” declared the team.
DeFi Exploits on the Rise
According to CoinMarketCap (CMC), a total of 4.4k WBNB ($1.6M), 22k BUSD ($22k), 2.5 ETH ($6.8k), 1.4M USDT ($1.4M), 432k BURGER ($3.2M), 142K xBURGER ($1M), and 95k ROCKS was stolen by the attackers.
“The attacker first flashed swapped 6k WBNB ($2 million) on PancakeSwap and then swapped all WBNB to 92k BURGER on BurgerSwap. The attacker then created a pair with fake tokens on BurgerSwap, adding 100 fake tokens and 45k BURGER. The 100 fake tokens were then swapped to 4.4 WBNB. The attacker then did another swap from 45k BURGER to 4.4 WBNB, resulting in the attacker receiving 8.8k WBNB in total. 493 WBNB were then swapped to 108.7k BURGER,” explained CMC.
While decentralized finance (DeFi) holds a lot of promise, flash loan attacks have been on the increase since 2019 and the industry has lost over $300 million to bad actors since that time.
Interestingly, the latest BurgerSwap heist has attracted mixed reactions from DeFi market participants, with some pointing accusing fingers at the team behind the project.
In the same vein, Uniswap (UNI) creator, Hayden Adams has revealed that BurgerSwap, which is a fork of Uniswap V2, misses a crucial line of code responsible for securing assets on the protocol, a strong indication that the heist was likely an inside job.
At press time, the global DeFi space has a combined $107.86 billion in total value locked (TVL). Aave maintains an 11.15 percent dominance with its $12.02 billion TVL, according to DeFi Llama.