URANIUM FINANCE $50m HACKED or STOLEN?

We may never know the true nature of what happened with the code exploit of Uranium.Finance, a fork of Uniswap AMM built on the Binance Smart Chain (BSC). There isn’t enough convincing story from both the team or speculators as to what truly happened. Each party seems to have a different theory; however, there was yet another rugpull.

By
Wilfred Victor
on
April 28, 2021
Category:
BSC News

What Happened?

The announcement from Uranium Finance shocked the Crypto Twitter community by this

An exploit has just been announced; the  V 2.0 code was exploited by an attacker who transferred $50 million away from the LP funds into a swapping platform and specific wallets. The exploiter swapped for BTC, ETH, and DOT coin.

Appearing on the Binance Community Blog, transaction details of what took place are below;


More Detailed Events and the Likely Occurrence

Following the “hack” incident and the Tweet from Uranium, a Twitter user named Igor Igamberdiev, who went by the handle @frankresearcher, gave a more detailed analysis of what may have happened and the likely occurrence in his well-detailed thread:

Here is the break down of the funds stolen/hacked;

  • 34k WBNB ($18M)
  • 17.9M BUSD ($17.9M)
  • 1.8k ETH ($4.7M)
  • 80 BTC ($4.3M)
  • 26.5k DOT ($0.8M)
  • 638k ADA ($0.8M)
  • 5.7M USDT ($5.7M)
  • 112k U92
BUSD and BNB remaining on the Contract since its problematic to cash out

 The hacker used PancakeSwap service to swap DOT and ADA to ETH. The attacker withdrew 2,438 ETH via Anyswap to Ethereum and 80 BTC after that. After, $1 Million USDT and $99k DAI (bought with USDT) then went to xDAI.

Transactions made from the contract which shows the movement of funds outwards


How was the Exploit Done?

Following the detailed analysis of FrankResearcher under his thread, the pair contracts in the v2 had a bug. Anyone could interact and withdraw almost all tokens due to a calculation error. 

The bugged codes from FrankResearcher


The balances of pair contracts during sanity checks were a hundred times larger than the real ones. Before interacting with Uranium, the attacker sent the minimum amount of each token to pair contracts. After that, they used a low-level function swap() whose execution should drain both reserves.

This is surprising because the Uranium team made a migration ten days ago, and the old version didn’t have the bug. The team then identified a bug in the new version, which resulted in version 2.1, and the LP migration was supposed to be today.

Is this a Hack or a Rugpull Event?

From the well-detailed thread of FrankResearcher, and the many Tweets replies under the thread citing some suspicious activities of the team before the unfortunate event,e.g. The general feeling is that this may not be the case of a hack; rather, this may be a soft rugpull event done by the team to jeopardize users’ funds. While the community carries this sentiment it is impossible to know who the malicious user was.

Uranium Github Repository is Empty


The team already knew the bug’s existence in the just-released V 2.0; as no such bug was in the earliest V 1.0. A Version 2.1 was created, and when the migration of the LP was about time, boom, a hack and exploit… This is another devastating blow that has impacted the credibility of the Decentralized Finance (DeFi) ecosystem and the BSC network.  It is always crucial to understand smart contract risks and the dangers that come when a new smart contract is implemented.

Tags:
No items found.
Wilfred Victor

Ace finds himself as a blockchain enthusiast who is focused on growing with the entire crypto sector. He is an energetic and passionate writer who believes that all things are achievable.