Black May: 11 programs on BSC attacked with nearly $300 million in losses, who will be next?

Fork is easy, but security is not a step too far.

Black May: 11 programs on BSC attacked with nearly 0 million in losses, who will be next?

On May 28th, BSC has got bad news again, two more projects have been hacked.

BurgerSwap, an automated market maker on the BSC chain, and JulSwap, a DEX protocol on the BSC chain, were attacked by lightning loans first, with the former losing $7 million and the latter losing an unknown amount.

So far, as many as 11 hacking attacks, runaways and even supervisory thefts have occurred on BSC in May, involving a total of $260 million. The BSC is concentrated in May, is it a coincidence or inevitable? Is it a supervised theft or targeted by hackers? Investors involved in BSC projects were alarmed and debated which one would be the next to be attacked and whether to flee the BSC system.

11 projects concentrated on lightning, the loss amounted to nearly $ 300 million
The upcoming May is the greyest month for BSC. This month, there are 11 projects concentrated lightning, including BSC’s largest lending platform Venus, BSC’s largest machine gun pool pancakebunny, BSC’s earliest DEX platform BurgerSwap. these projects before the attack, some are as good as the day, some have long fallen. After being attacked, some platforms respond well, the community regained confidence. Some platforms were slow to act, and the community cursed. Some platforms were so arrogant that they blatantly ran away.

Rabbit of conscience – pancakebunny

Pancakebunny is the largest machine gun pool on BSC and was once the largest in the DeFi space, with a peak lockup of over $7.5 billion. It is most credited with helping pancakeswap lock up CAKE’s liquidity and driving CAKE’s market cap higher and higher. To this day, there are still investors in the community who steadfastly continue to hoard CAKE and almost never sell.

Pancakebunny was attacked using lightning credits, which hackers used to manipulate the WBNB-BUNNY pool thereby driving up the price of LPs, allowing the BunnyMinterV2 contract to mint 6.97 million bunny rewards (worth about $1 billion). The hackers took 697,200 BUNNY and 114,600 BNB from the attack and have since converted some of the assets to ETH via 1inch and to ETH via the anyswap bridge.

After the incident, pancakebunny acted quickly, first suspending deposits/withdrawals and then quickly patching the vulnerability. At 11pm that night, pancakebunny came up with a compensation plan, one of which was that it would compensate the difference between the original holder’s market value at the time of the exploit and the current retained value of $39 million (loss) by issuing a new token, pBUNNY, and creating a compensation pool. This proposal is sincere, which means that this loss of bunny holders will be fully covered by the project. The community roared with approval, praising the bunny of conscience, and the price of bunny rose from $2 to $40 after the attack.

Pancakebunny has done the best job of all the projects on BSC in facing the crisis, being able to cope with it with grace and coming up with a satisfactory compensation measure.

The most cursed project – Venus

Venus is the largest lending project on BSC, known by netizens as Coinan’s own son, with the highest deposit amount of over $15 billion, almost equal to that of AAVE in the same period.

Venus has been criticized, including: 1) arbitrarily adding CAN as collateral at the beginning of the launch, resulting in 3,000 BTC being borrowed empty. 2) over-casting VAI but not being cleared for bugs, resulting in a significant drop in XVS coin price. 3) abruptly charging withdrawal fees, resulting in a large number of machine gun pools on BSC suffering different degrees of loss. 4) slow progress of the project, disrespectful to the demands of community investors And so on.

If the previous “CAN incident” was due to the inexperience of the team, the “collateralized XVS malicious lending” this time shows that the team has not made any progress after making mistakes. The company’s market depth is extremely low, and the price can be easily manipulated. on the night of May 19, XVS instantly exploded, and near the highest price point, a large investor pledged XVS to lend a large amount of BTC and ETH. after that, XVS quickly collapsed, the pledged XVS was liquidated, and the Venus platform generated more than $100 million in bad debt.

After the incident, the community cursed and the last trust investors had in Venus was completely depleted. IO Exploit – An Inside Job”, an article on mediun today, questioned the massive liquidation of the “collateralized XVS malicious lending” as a result of the project’s Io Exploit- An Inside Job”, questioning the massive liquidation caused by “Mortgage X vs.

Always hacked, always in tears – Value DeFi

Value DeFi’s original name was YFValue, which was deployed on Ether and later expanded to BSC. According to Godfish, this project item has been hacked at least 6 times. Netizens chortled, “6 times still haven’t gotten hung, tenacious life force.”

Value was attacked twice on May 5 and 7, with an interval of only 1 day. In this attack, there were arbitrageurs who took advantage of the opportunity to make profits. Fishpool founder Godfish said that arbitrageurs used $3,000 to buy 370,000 Gvvalue-B on BSC across to ETH to decompress more than 400,000 Value, and then mentioned to Firecoin to sell more than 10 million RMB.

After the incident, Value DeFi released gvValue-B compensation plan, which will use insurance fund, multi-signature and team funds to compensate. Successive attacks led to a major injury to Value’s meta, with the lockup falling from a high of about $1 billion to $20 million. Yesterday, Value DeFi officials said that the compensation plan for vBSWAP and VALUE holders is nearing its end.

Security personnel: there are many vulnerabilities, it is only a matter of time before they are discovered
BSC concentrated on lightning in May, triggering various speculations: is it a coincidence or inevitable? Is it a supervised theft or targeted by hackers? On the contrary, it is not uncommon that there are quite few defi projects in trouble recently.

The BSC has not been attacked much and many project parties are not that vigilant, so the hackers’ attention has shifted.

AmberGroup blockchain security expert Dr. Wu Jiazhi told Babbitt that there should be a team focusing on BSC, which has a lot of vulnerabilities. The mistakes that have been made and the attack weapons that have been used on Ether are all present on BSC.

On May 2, the first lightning loan attack occurred on BSC, which kicked off the BSC lightning loan attack from then on.

Before that, probably the technical team did not try or did not quite know how to launch a flash loan on BSC, and with this experience, it was much easier to launch a flash loan on BSC, Wu said.

In addition, since there was no cross-chain bridge on BSC before, the money could not escape from the grasp of CoinSec, but later on, with anyswap and nerve providing decentralized cross-chain services, hackers could launder the money into ETH to escape from BSC, and there was no way for CoinSec to freeze it.

In this concentrated attack, we noticed that the imitation disk of pancakebunny, such as merlinlab, AutoShark, etc., was also not spared after pancakebunny was attacked, which indirectly shows that the project side only forked the code of other projects, and the logic of the project itself is not fully understood, so it cannot escape the fate of being attacked Therefore, they could not escape from the attack. In particular, merlinlab was attacked twice a day, which is worth a deep review.

After the series of attacks, those who were hurt the most were undoubtedly the investors who believed in value coins, whose tokens were basically “zeroed out” after the attacks, and who lost a lot of money. This is disastrous for the newly established value evaluation system in the DeFi market, and “digging and selling” seems to be the only right way to go.

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-05-28 06:33
Next 2021-05-28 11:08

Related articles