Uranium Finance, an automated market maker on Binance Smart Chain, suffered its second hack this month, this time to the tune of $50M.
The hack is due to a misstep in code modification which allowed the hacker to exchange one unit of an input token for 98% of the value as output according to Kyle Kistner, co-founder of DeFi protocol, bZx.
According to Igor Igamberdiev, research analyst at The Block, Uranium’s code didn’t have the error prior to migrating to the project’s V2, which introduced the vulnerability. The Uranium team was in the process of migrating to a version 2.1, which included a patch of the above security hole, when the attack occurred, according to the Uranium team’s Twitter.
Igamberdiev says that the vulnerability was actually exploitable for all 11 of the days where Uranium’s V2 was active.
The project had already suffered a hack in early April, where the automated market maker lost $1.3M. The attacker returned $1M in for the Uranium team to “not take any further action against him and let him be,” as stated in the project’s post-mortem.
Potential Rug Pull
The bug’s introduction into Uranium’s V2 codebase and its slated change in V2.1, shows that the project knew about the bug before the exploit. This, combined with the fact that the team’s GitHub repository has been removed, led Igamberdiev to suggest that the hack was an inside job, known as a rug pull in DeFi.
Uniswap founder Hayden Adams chimed in on Twitter, saying that there was, “no good reason to change these lines of code.”
Uranium is a fork of Sushiswap, itself a fork of Uniswap, and the bug was in neither projects’ contract code.
The Uranium team, who is anonymous, has responded to the accusations with a post saying that their own developer team discovered the potential exploit ten days into V2’s deployment.
The code deployed after the project’s first hack (unrelated to this recent one) had been reviewed by Defiyield.info and by Hyperjump, and received an audit by BSC Gemz. BSC Gemz highlighted an associated low level risk, which led the team to discover the potential exploit.
According to the post, the team saw three options in light of the vulnerability: bring in help from BSC, carry out the exploit themselves in order to front run external attackers, or upgrade the code. The team chose to upgrade the code, but according to the team’s post-mortem post, was beat to the punch by the attacker.
The Uranium team says they don’t know whether the hack was a “direct consequence of a leak about the exploit from someone in our team, by an authorized third party that reviewed our codebase, or even a random dev who just happened to find the flaw.”
Cleaning Up The Mess
The team says they will work with the Binance and BSC teams to try to identify the attacker. However, the project will no longer continue according to the team’s post-mortem.
A day before the hack, the Uranium team posted on Medium saying the upgrade to V2.1 “will be our last migration for a long time.” With the information currently available, it’s impossible to say whether the team knew that the attempted move to 2.1 would be the last ever for the protocol.