Hacker stole $6.2 million from Belt Finance DeFi protocol

The hacker stole $6.2 million from Belt Finance, a DeFi protocol built on the Binance Smart Chain (BSC).

1/8

New weekend — a new attack on BSC DeFi protocol.

Today $6.2M in BUSD was stolen from Belt Finance in 8 transactions.

Below is what happened👇 pic.twitter.com/1URb9sJud0

— Igor Igamberdiev (@FrankResearcher) May 29, 2021

«A new weekend — another attack on a DeFi protocol based on BSC. Today $6.2 million in BUSD was stolen from Belt Finance in eight transactions», wrote The Block researcher Igor Igamberdiev.

According to his observations, the attacker borrowed $385 million in BUSD on PancakeSwap. After that, he deposited $10 million into the bEllipsisBUSD strategy.

2/8

Each transaction looked like this:

1) Used 8 flash loans on $385M BUSD from PancakeSwap

2) Deposited 10M BUSD in bEllipsisBUSD strategy (only for the first transaction, where it was the ‘Most Insufficient Strategy’) pic.twitter.com/JRgDSgub6F

— Igor Igamberdiev (@FrankResearcher) May 29, 2021

The hacker deployed $187 million in BUSD to the bVenusBUSD strategy and repeated these steps more than seven times. Then swapped $190 million in BUSD for $169 million in USDT via Ellipsis.

3/8

3) Deposited 187M BUSD to bVenusBUSD strategy (‘Most Insufficient Strategy’)

❗️The following steps are repeated seven+ times 🔄

4) Swapped 190M BUSD to 169M USDT through Ellipsis pic.twitter.com/HTwrhkuuu6

— Igor Igamberdiev (@FrankResearcher) May 29, 2021

After that, the attacker withdrew more BUSD from the bVenusBUSD strategy and swapped $169 million in USDT for $189 million in BUSD, using Ellipsis. Then he deposited BUSD into the bVenusBUSD strategy.

4/8

5) Withdrew more BUSD from bVenusBUSD strategy (‘Most Overlooked Strategy’)

6) Swapped 169M USDT to 189M BUSD through Ellipsis

7) Deposited BUSD to bVenusBUSD strategy (‘Most Insufficient Strategy’) pic.twitter.com/LQXbo1S42N

— Igor Igamberdiev (@FrankResearcher) May 29, 2021

In the end, the hacker repaid the flash loans and withdrew the profit.

5/8

❗️End of repetition 🔄

8) Repaid flash loans and withdrew profit pic.twitter.com/sPODKgppOc

— Igor Igamberdiev (@FrankResearcher) May 29, 2021

Igamberdiev explained that beltUSD price depends on the sum of the balances across all strategies on the platform. Therefore, manipulating these strategies means the ability to influence Belt Finance’s asset price.

7/8

However, if there is a way to manipulate other strategies, it is possible to manipulate the beltBUSD price.

Apparently, by buying and selling BUSD, the attacker manipulated this price with a bug in the bEllipsisBUSD strategy balance calculations. pic.twitter.com/WyMLWDChJ9

— Igor Igamberdiev (@FrankResearcher) May 29, 2021

«It seems that by buying and selling BUSD the attacker manipulated its price, using a bug in the balance calculations of the bEllipsisBUSD strategy».

8/8

All stolen BUSD was converted to 2680 anyETH ($6M) via 1inch v3 and partially withdrawn to Ethereum.

1463 ETH has not left the cross-chain bridge at the moment. pic.twitter.com/3luhDoLTFc

— Igor Igamberdiev (@FrankResearcher) May 29, 2021

«All stolen BUSD were converted on 1inch v3 into 2680 anyETH worth $6 million. Part of the funds moved to Ethereum. At the moment, 1463 ETH have not left the cross-chain bridge», noted Igamberdiev.

Representatives of Belt Finance said they are investigating the incident, preparing a compensation plan. The withdrawal of assets from the BSC vaults is paused until the smart-contract update.

Partial funds of our 4Belt pool have been affected.(Accurate amount will be announced soon).
We are now analysising and fixing our contract for safety.
Compensation plan and accident report will be up soon.
Withdraw of BSC vaults will be paused until contract upgrade is complete

— Belt Finance (@BELT_Finance) May 30, 2021

The BELT token price over the last 24 hours fell by 27.6%, according to CoinGecko. The Belt Finance platform ranks second in the Defistation index, which measures the value of assets engaged in the protocols.

Earlier, ForkLog сообщал, that the hacker drove the price of the PancakeBunny token down by 80%. To manipulate prices in the USDT/BNB and BUNNY/BNB pairs, he borrowed funds on PancakeSwap.

Subscribe to ForkLog’s channel on YouTube!