A new DeFi hack has targeted BSC's Uranium Finance protocol, leaving it with $50 million in losses. The hack occurred during the protocol's migration to its second version.
Decentralized finance (DeFi) are shaken again by a hack that leaves losses worth 50 million dollars, which were extracted from the protocol Uranium Finance in several cryptocurrencies, According to reports posted by the BSC-based protocol's developers on their Twitter account, the exploit occurred while the project was migrating to its second version to patch a security vulnerability found by auditors.
Uranium Finance developers reported that “Uranium migration has been exploited”, and shared the address where the stolen funds were sent, inviting users and investors to share and report the address to Binance to block it. In this, it can be seen that the $50 million lost by the protocol was extracted in various cryptocurrencies and digital assets, including Bitcoin (BTC), Ethereum (ETH), Binance USD (BUSD), Binance Coin (BNB) y U92, the native token of the DeFi protocol.
So far, the developers assure that they are working with Binance security teams to trace and block the stolen funds, and continue to call on those responsible for the hack to negotiate and return the funds to affected users and investors.
“If you are in possession of the funds or know someone who is, please contact me now to arrange a deal before it goes up.”
So far this year, DeFi has suffered at least a dozen hacks, which have already amounted to more than $160 million in losses. So far, this latest hack has been the largest DeFi hack, in terms of value, in 2021.
It may interest you: New attack on DeFi leaves Alpha Finance with a loss of $37 million
Fragmented trust in teams
Although the developers have not issued any official report, on their Telegram channel, it seems that the team suspects that the hack is the product of an inside job; where the developers and auditors of the protocol are the main suspects.
On Telegram, the group administrator, who introduces himself under the pseudonym baymax, posted a message indicating that an audit carried out on the DeFi protocol had revealed a low-severity vulnerability, but that it was present in the project and that it put the protocol's liquidity at risk, which exceeded 80 million dollars.
To fix the security flaw, the team opted to create a second version of Uranium Finance, v2.1, and begin migrating the protocol. However, during this migration, a hacker exploited the vulnerability and managed to extract more than 60% of the deposited funds.
“We had to go with (option) 2. And we were only 2 hours into v2.1 when the exploit occurred”.
Hacking a Uranium Finance: An Inside Job
Baymax assures that Very few people knew about the exploit. “There are a total of 7 people at Uranium who were aware of the exploit. Outside of Uranium, there would be the 3 contract auditors and their respective (subcontractors) who could be aware of this flaw”. So he suspects it was an inside job. For Baymax, someone on the team or among the auditors had to have exploited the vulnerability or leaked the information for someone else to do so.
Baymax invited all users and investors to remove or withdraw their liquidity from the DeFi protocol. He also stressed that any data or information should be sent to him via private message and directly, and not to any of the members of the Uranium Finance development team.
Suspicions from the crypto community and those affected
Despite Baymax's statements, and pointing out that he has lost 90% of his investment portfolio in this hack, some members of the crypto community were not very satisfied with the explanations.
One user commented that he thinks the vulnerability was “created” in version 2 to extract funds, while others doubt that “keeping silent and posting open were the only two options,” alluding to Baymax’s explanations about its “only” two options to fix the vulnerability detected by the auditors.
Other affected users are also questioning why the team did not perform a “whitehat attack” to protect the deposited funds, instead of waiting a full day while preparing the second version, giving time for hackers to exploit the vulnerability.
So far, both the statements from Baymax and the users are mere assumptions. However, if it is confirmed that the developers are related to the hack, Uranium would be the second BSC DeFi protocol to fall due to its own developers. The first of these cases is that of TurtleDEX, whose team disappeared with $2,5 million of investors' money in a so-called “Rugpull.”
The BSC, where Uranium Finance and TurtleDEX are developed, is a blockchain that is growing in popularity thanks to its scalability and low commission fees, but it seems to also be becoming a place that is home to little-known and unethical developers, who have no mercy for investors.
Continue reading: Insurance, an increasingly emerging and promising sector for the future DeFi, says ShapeShift
