Share articles to

Academy Industry Analysis Article
OKEx Insights DeFi Digest DEX DeFi Yield Farming

Binance Smart Chain renews security concerns after $50 million Uranium Finance hacked

2021.05.05 Matthew Lam

$50 million was drained from Uranium Finance following an exploit, leading to suspicions that the attack was a rug pull — DeFi Digest 

The price of ETH is surging to new all-time highs, fueling the growth of the decentralized finance ecosystem. This week, the total value locked in DeFi protocols skyrocketed 23% to $76.11 billion, as of the time of this writing. 

Maker led the DeFi market with a 16% share of the sector's total value locked as the total borrowing volume of DeFi protocols posted 24% growth this week. The lending market is currently being led by Compound, which has a 37% market share.

Decentralized exchanges are the top gainers this week, as average weekly trading volumes rose 32% to $5.49 billion. Uniswap continued to lead with a 27% market share. At the same time, SushiSwap remained the largest liquidity pool — with its TVL reaching $2.54 billion.

CategoryKey statisticsAmountWeekly % change
OverallTotal value locked (USD)$76.11 billion23%
Market dominance (%)Maker (16%)
LendingTotal borrowing volume$21.54 billion24%
Market dominance (%)Compound (37%)
DEXsWeekly avg. trading vol.$5.49 billion32%
Market dominance (%)Uniswap (27%)
Yield farmingLargest liquidity poolSushiSwap ($2.54 billion)
The decentralized finance market posted growth of more than 20% in total value locked, lending and decentralized exchanges. Source: DeFi Pulse and DeBank

Uranium Finance hacked for $50 million

This week, Binance Smart Chain saw renewed security concerns following the $50 million hack of Uranium Finance, an automated market maker that provides daily dividends to its users. 

During the protocol's planned v2.1 migration, the Uranium team discovered an exploit on April 28 — $50 million worth of cryptocurrencies was drained.

According to Uranium Finance's post-mortem, there was a swap-fee calculation error in the codebase update for v2. The calculation error led to a bug, which allowed hackers to use the swap function to drain the funds in Uranium's trading pairs.

Bugged code, highlighted in green, led to trading-pair balances during checks and allowed hackers to drain reserves. Source: Uranium Finance

The hacker started to withdraw stolen funds off the Binance Smart Chain. They first withdrew $6.4 million worth of ETH via Tornado Cash. The hacker then withdrew 1,438 ETH and 80 BTC via AnySwap. Over $9 million worth of cryptocurrencies was withdrawn, with the hacker holding the remaining $40.66 million on BSC, as of the time of this writing.

When the Uranium team became aware of the exploit, they urged BSC users to report the hacker's address to prevent further withdrawals. The team also cooperated with Binance's security team to investigate the root cause of the exploit and the hacker's identity. Additionally, the Uranium team set up a Telegram group to coordinate fund recovery for the victims.

Rug pull suspicions

Despite the remedial actions, the Uranium team and community suspected that the hack was actually a rug pull from insiders. The Uranium team noted suspicious "whale" sell-offs during the migration. They also noticed that, prior to the launch of the new v2.1 code, the hacker had already set up their wallet for the exploit. This may imply the attacker was well-aware of the Uranium team's plans.

An administrator in Uranium Finance’s Telegram channel, named "Baymax," suspected that someone leaked insider information that allowed hackers to exploit the protocol's vulnerabilities. He also claimed that the leaker could be among the seven core Uranium team members, the three auditors and their respective sub-contractors.

The Uranium team considered launching a whitehat attack to return users' funds once the code is fixed. However, the team did not launch it, citing a lack of confidence. It also added that any failed attempt could lead to a further exploit launched by an experienced hacker. However, Igor Igamberdiev of The Block Research believes that a whitehat attack would be the best option for Uranium Finance to safeguard users' funds. 

While Uranium Finance continues to investigate the hack with Binance, the team stated that there will be no v3 as a relaunch. The Uranium team also stated that the project has come to an end and there are no plans to revive it. As a result, the Uranium team has deactivated farming rewards and suggested users remove their liquidity from the pool.

OKEx Insights presents market analyses, in-depth features, original research & curated news from crypto professionals. 

Follow OKEx Insights on Twitter and Telegram.

Disclaimer: This material should not be taken as the basis for making investment decisions, nor be construed as a recommendation to engage in investment transactions. Trading digital assets involve significant risk and can result in the loss of your invested capital. You should ensure that you fully understand the risk involved and take into consideration your level of experience, investment objectives and seek independent financial advice if necessary.