In the early hours of April 28, the Uranium Finance cryptocurrency project came under attack. Preliminary damage is estimated at $50 million.
(1/2)‼️ Uranium migration has been exploited, the following address has 50m in it The only thing that matters is keeping the funds on BSC, everyone please start tweeting this address to Binance immediately asking them to stop transfers.
— Uranium Finance (@UraniumFinance) April 28, 2021
Uranium Finance is built on the Binance Smart Chain and is developing an enhanced automated market-maker protocol.
On April 28, developers planned to migrate liquidity-provider assets to the new version of the protocol. However, a vulnerability arose in the process, allowing hackers to access users’ funds.
A Twitter user going by the handle BeTheb0x drew attention to a bug in the code of the new fork:
Now here’s the code used by the Uranium devs:
See the difference? 1000 was changed to 10000 in two places but not the end. The result? You could swap 1 wei of the input token for 98% of the total balance of the output token. pic.twitter.com/c8pRD55Fe9
— Kyle «1B TVL» Kistner | Fulcrum | bZx (@BeTheb0x) April 28, 2021
“Thus you could swap 1 wei of the input token for 98% of the total balance of the output token,” he wrote.
Representatives of the project confirmed the incident:
“The Uranium Finance migration has been exploited. The following address contains $50 million. It is crucial to keep these funds on the BSC now. Please tweet Binance immediately with this address and ask them to stop transfers.”
The hacker is moving Ethereum out of the project’s wallets via the Tornado Cash mixer.
And here are the transactions with 100s of ETH coming in, and then being send out to Tornado Cash shortly afterwards to clean it up.
Millions of dollars worth of ETH :X pic.twitter.com/p1gzwPIBdj
— MyCrypto.com (@MyCrypto) April 28, 2021
The Uranium Finance developers have contacted Binance security specialists to resolve the issue.
Earlier in March, an unknown attacker hacked the Roll blockchain platform that issues “social money” and stole 3,000 ETH (~$5.7 million).
Follow ForkLog’s news on Twitter.