Binance Smart Chain (BSC), the Ethereum-competitor for DeFi protocols, is facing severe flash loan attacks since the beginning of May 2021. The latest victim has been DeFi protocol BurgerSwap. The platform recently updated that at around 3 AM on Friday, May 28, BurgerSwap faced a flash loan attack on BSC wherein the attackers swept $7.2 million in losses in just 14 transactions.
To exploit the platform, the attackers created their own fake BEP-20 token while forming a new trading pair with $BURGER. Through some routing adjustments, the “attacker created $BURGER -> Fake Coin -> $WBNB routing; through $BURGER -> Fake Coin trading pair”.
Later, using the fake coin and manipulated reserves in the pair’s contract, the attacker re-entered BurgerSwap while changing the price of $BURGER. The attacker then re-entered the transaction to trade back the $WBNB and thus obtain the extra amount of WBNB inputted. In this thread, BurgerSwap explains step-wise how the attacker managed to rout $7.2 million. Below is the complete list of what exactly has been stolen.
What was stolen:
– 4.4k WBNB ($1.6M)
– 22k BUSD ($22k)
– 2.5 ETH ($6.8k)
– 1.4M USDT ($1.4M)
– 432k BURGER ($3.2M)
-142k xBURGER ($1M)
– 95k ROCKS
— BurgerSwap (@burger_swap) May 28, 2021
The price of the $BURGER token is down by more than 20% and is currently trading at $6.65 with a market cap of $80.3 million.
Binance Smart Chain (BSC) and Flash Loan Attacks
This is the fourth flash loan attack taking place on Binance Smart Chain (BSC) within a month’s time. Over the last two weeks, we have reported attacks on DeFi protocols Pancake Bunny, Bogged Finance, and AutoShark Finance.
The price of their respective DeFi tokens has crashed over 90% thereby eroding a large amount of investors’ money. This vulnerability of attackers frequently exploiting the Binance Smart Chain (BSC) has got investors to question the security of the platform.
Since the beginning of May, the total losses on BSC due to multiple flash loan attacks have exceeded over 150 million U.S. Dollars. Another DeFi project JustLiquidity Swap aka JulSwap has been facing a similar situation. However, its founder has confirmed that there has been no exploit or hack at the protocol level.
we investigated the dump tonight on Jul. it’s seems it was the same Situation as some other projects experienced in the last weeks due to an flash loan.
There is NO hack or exploit!
Flash Loan Hash:https://t.co/AVus5B2ZVX
More informations soon.
— TG Crypto (@tg_cryptos) May 28, 2021