April 28, 2021 | AtoZ Markets – On the night of April 28, Uranium Finance, an automated market maker platform on the Binance Smart Chain reported a security incident that resulted in a loss of about $50 million.
Uranium Finance joins the growing list of hacked projects
Tweeting on Wednesday, Uranium revealed that the exploit targeted its v2.1 token migration event and that the team was in contact with the Binance security team to mitigate the situation.
(1/2)‼️ Uranium migration has been exploited, the following address has 50m in it The only thing that matters is keeping the funds on BSC, everyone please start tweeting this address to Binance immediately asking them to stop transfers.
— Uranium Finance (@UraniumFinance) April 28, 2021
On April 28, the developers planned to migrate the assets of liquidity providers to the new version of the protocol. However, in the process, a vulnerability arose, due to which hackers gained access to users' funds.
Project representatives confirmed the incident:
“The Uranium Finance migration was exploited. The next address contains $50 million. It is now important to keep these funds with BSC. Tweet this address immediately to Binance and ask them to stop transfers. "
The hacker withdraws Ethereum from the project wallets through the Tornado Cash mixer.
And here are the transactions with 100s of ETH coming in, and then being send out to Tornado Cash shortly afterwards to clean it up.
— MyCrypto.com (@MyCrypto) April 28, 2021
Millions of dollars worth of ETH :X pic.twitter.com/p1gzwPIBdj
Uranium Finance developers contacted Binance security experts to resolve the issue.
The team has created a Telegram group for victims of the hack while promising to provide updates on the progress being made to recover the stolen funds.
Meanwhile, speculation is rife as to whether the attack was an inside job, given the sudden decision to engineer another version upgrade barely 11 days after completing the v2 migration.
A Twitter user under the pseudonym BeTheb0x drew attention to a bug in the code of the new fork:
Now here's the code used by the Uranium devs:
— Kyle "1B TVL" Kistner | Fulcrum | bZx (@BeTheb0x) April 28, 2021
See the difference? 1000 was changed to 10000 in two places but not the end. The result? You could swap 1 wei of the input token for 98% of the total balance of the output token. pic.twitter.com/c8pRD55Fe9
Wednesday’s hack is the second attack on the Uranium project in quick succession. Earlier in April, hackers exploited one of the platform’s pools, stealing about $1.3 million worth of BUSD and BNB.
Recall that in March, an unknown person hacked the blockchain platform for the release of "social money" Roll and stole 3,000 ETH ($5.7 million).
Think we missed something? Let us know in the comment section below.