On May 30, Belt, a machine gun pool + stablecoin exchange platform on BSC, was hacked and lost around $6.2 million. The 4Belt pool on the platform has now suspended withdrawals and deposits, and no official compensation measures have been given for the loss of investors’ funds caused by this incident.
This is the second hit Belt has suffered in two months, and also the 13th attack on BSC this month.
Belt was last hit on April 21, Venus suddenly charged withdrawal fees, Belt did not adjust its strategy in time, resulting in the platform to provide stable coin LP investors have suffered a loss of principal. Since then Belt upgraded V2, from a single strategy model to a multi-strategy model, this time the damage was to the funds in the 4Belt pool, the principal loss of investors deposited in this pool was about 6%. For the losses caused last time, Belt has not come up with any compensation plan so far.
After the incident, blockchain security company PeckShield as well as The Block researchers and others quickly stepped in to track and analyze it. The attack originated from the attackers’ manipulation of the price of beltBUSD by repeatedly buying and selling BUSD, taking advantage of a vulnerability in the bEllipsisBUSD strategy balance calculation for profit. All the stolen BUSD was converted to 2680 ETH (about $6 million) via 1inch v3, and then the acquired assets were converted to ETH in batches via the Nerve (Anyswap) cross-chain bridge, of which 1463 ETH have not yet left the cross-chain bridge.
The official BSC Twitter account also tweeted specifically on the matter, suggesting that a hacker group had targeted BSC and calling on projects on BSC to take good security precautions and strengthen cooperation with auditing companies and others.
With the concentration of hacks on BSC, there has been a renewed flood of voices questioning CeDeFi, as well as calls to shut down the Lightning Lending feature due to Pancakeswap’s repeated funding of Lightning Lending attacks.
Is CeDeFi safer?
During the DeFi boom in 2020, DeFi public chains such as BSC and HECO constructed by centralized exchanges represented by Coin and Firecoin rose rapidly. Compared with the decentralization of ethereum, these exchange-backed public chains have the criticism of centralization, but they are also easier to win the trust of retail investors as a result. They will subconsciously think that the project side can run away to these exchanges to claim. Of course, this idea is naive.
At the CoinDesk 2021 Consensus Conference, a staff member of Coinan made it clear that BSC is an infrastructure that does not require an access license and anyone can deploy the project. As for hackers using the project itself to launch attacks is a problem that exists throughout the DeFi industry, expecting a BSC rollback is impossible.
Meanwhile, CZ, the founder of Cryptocurrency, also said in an interview.
“BSC is an independent blockchain, and Coinan has no control over it. Although it is true that Cryptocurrency has funded and benefited from many BSC projects, these projects are run independently. If I talk to these project parties, they do talk to me, but I basically don’t talk to the project parties on BSC now.”
In fact, in the early days of BSC’s development, Coinam did have cases of helping users recover their funds.
On October 13, 2020, AMM platform Wine Swap went live on BSC and rolled up all of its funds within an hour of going live, causing users to lose over $345,000. In this incident, part of the runaway project’s funds were transferred out through the Coinam Bridge. Afterwards, the CoinSec security team, OTC team, finance team, BSC team and CoinSec Bridge team assisted users in recovering their funds.
This incident is more symbolic than practical, for one thing, the amount involved is not large, and for another, BSC needs to establish a safe and reliable brand image in the early stages of development. Subsequently, there have been few reports on cases where Coin Security assisted users in recovering stolen funds, especially the uranium attack that occurred in April, with a loss of up to $57 million, the largest amount of money lost by BSC to date.
This can’t be blamed on Coin Security’s inaction, because in the early days, funds transferred out on BSC usually needed to go through Coin Security Bridge or Coin Security Exchange, and it was easy for Coin Security to lock up the funds. For example, in the Meerkat Finance donation run that happened in March, the CoinSec security team closely monitored the flow of funds and froze them once they flowed to the CoinSec trading platform. At the same time, the Coinan bridge was once shut down to avoid funds being transferred to other blockchains. Eventually, with the joint assistance of CoinSec, blockchain security companies and community KOLs, the project parties involved returned the funds.
However, DeFi is growing by leaps and bounds. With the emergence of more and more decentralized cross-chain facilities such as anyswap and nerve, Coin Security’s control over funds on BSC becomes overwhelming, and once hackers transfer funds to Ether through these decentralized cross-chain protocols, it is difficult to recover them.
Therefore, BSC officials today suggested introducing a blacklist mechanism or other schemes on these decentralized cross-chain protocols to deal with hacker attacks.
Want to turn off the flash credit feature?
Reviewing the lightning loan attacks that have appeared on BSC, the source almost entirely points to the lightning loan feature of pancakeswap.
PancakeSwap is an offshoot of Uniswap and supports all the features supported by Uniswap V2, including lightning loans. However, for the average user, this feature is not visible.
Lightning loans are an innovation of DeFi that allows users to lend money without any collateral and return it within one block. According to uniswap’s documentation, the original purpose of Lightning Lending was to help developers without sufficient capital to complete capital arbitrage or to improve the leverage efficiency of lending agreements. Unfortunately, today, flash lending is starting to become notorious as a tool for hackers to empty their hands.
While there are calls for Pancakeswap to remove the lightning lending feature, pancakeswap believes that lightning lending itself is neutral and has a continued existence.
How does Belt account for this?
In the last incident where Venus was subject to fees, Belt’s failure to adjust its strategy in a timely manner resulted in damage to user funds. In retrospect, both Venus and Belt were responsible for the incident. Venus did not pay attention to its community partners, and only tweeted and telegraphed the announcement when the strategy was adjusted, instead of going home and greeting the involved project parties in advance, especially Belt, a big client. Belt remained indifferent and did not adjust its strategy in time after several official announcements from Venus.
After the incident, the injured investors sought compensation from Belt, but Belt thought the fault was not their own, and Venus has been pulling the wool over their eyes, and has not come up with a compensation plan for the users on the platform.
In this incident, the problem occurred between Belt and the stablecoin exchange agreement Ellipsisfi, Belt deposited 4belt’s funds into its own machine gun pool, and then used the machine gun pool to exist Ellipsisfi, but did not take into account that Ellipsisfi’s stablecoin is not taken out 1:1, there is a price difference. This gives hackers a loophole to launch lightning loan attacks. Also, Ellipsisfi made it clear that the mistake was Belt’s strategy.
From morning to now, Belt official Twitter has only released two tweets. The Chinese official WeChat group has been fired into a pot of porridge, investors’ emotions are fierce, individual investors said once they release the withdrawal, they will quit Belt forever. in the telegraph group, the administrator said the funds are safe, the project side is working on a compensation plan and will release the report soon.
I hope that this time, Belt can come up with a compensation plan that will satisfy investors.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/belt-attacked-by-lightning-loans-is-cedefi-safe-how-to-explain-to-investors/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.