Another BSC Project Exploit: $7.2M Drained From BurgerSwap in a Flash Loan Attack
Another protocol employing the Binance Smart Chain has suffered a security breach. This time, it was the decentralized exchange BurgerSwap, and the perpetrators stole over $7 million through a flash loan attack.
$7.2M Drained From BurgerSwap
Launched earlier this year, BurgerSwap is a DeFi project enabling users to swap between tokens issued on the BSC and earn rewards for providing liquidity. Earlier today, the protocol took it to Twitter to highlight the security breach it had experienced.
It all happened on May 28th, and the perpetrators chose a rather notorious and common way to exploit the protocol – through a flash loan attack. They manage to drain $7.2 million from BurgerSwap via 14 transactions.
They created their own Fake Coin and formed a new trading pair with BURGER – the native crypto token of BurgerSwap. Later, the perpetrators adjusted the routing to – BURGER -> Fake Coin -> Wrapped BNB.
They used the BURGER/Fake Coin trading pair to re-enter BurgerSwap through Fake Coin and manipulated the number of reserve0 and reserve1 in the contract, causing a significant price change.
By re-entering the transaction again and trading back to WBNB, the hackers managed to obtain the extra amount of WBNB inputted. As such, they flash swapped 6,000 WBNB ($2 million) from PancakeSwap and then almost all WBNB to 92,000 BURGER on BurgerSwap.
(3) Created pair with a fake token on BurgerSwap & added 100 fake tokens and 45k $BURGER to pool;
(4) Swapped 100fake tokens to 4,400 $WBNB through the pool;
(5) Because of reentrancy in time of transfer fake token, attacker did another swap from 45k $BURGER to 4.4k $WBNB; pic.twitter.com/SeVcE2bJ6w
— BurgerSwap (@burger_swap) May 28, 2021
Ultimately, they stole 4,400 WBNB ($1.6M at the time), 22,000 BUSD, 2.5 ETH ($6.8K), 432,000 BURGER ($3.2M), 142,000 xBURGER ($1M) and 95,000 ROCKS.
The DeFi project has suspended all its services as of now and will “surely work hard to cover users’ loss.”
Not The First
The BSC’s rapid growth since inception caught the attention of bad actors, and the number of attacked protocols using the network has exponentially increased in recent months.
CryptoPotato has reported some of the examples, including Spartan Protocol. The attack transpired earlier in May and resulted in the loss of over $30 million of users’ funds.
Shortly before that one was Uranium Finance’s turn. The BSC-employing automated market maker saw roughly $50 million stolen from its network, but some suggested that it could have actually been a rug pull.
Similar concerns came from Meerkat Finance after $30 million was drained from the protocol in March this year.