Taking stock of an insecure May: BSC hacking review

BSC on-chain projects were frequently mined in May, and the security situation in the DeFi field remains severe. With the development of new EVM-compatible public chain ecology, hackers’ attack targets have gradually shifted from ethereum to other chains in the DeFi ecology.

Taking stock of an insecure May: BSC hacking review

Foreword

The Binance Smart Chain (BSC) has attracted a large number of DeFi protocols due to its low fees and fast block release, which has fueled the development of the DeFi ecosystem on the BSC chain, and has gradually become a target of hackers.

Since May, BSC eco-DeFi projects have been frequently attacked by hackers, such as lightning loan attacks, and according to statistics, the total loss has exceeded $157 million, which also directly led to the flash crash of the coin price of the virtual assets of the relevant project parties, and the DeFi ecosystem was in a state of mourning. KnowChuangYu Blockchain Security Lab summarizes the security incidents that occurred in BSC in May and discusses the attack techniques and the problems exposed.

May BSC Security Incident Inventory

The following are the security incidents in the DeFi domain that occurred on the BSC chain in May.

(a) On May 2, the synthetic asset protocol Spartan Protocol was attacked with lightning credits, resulting in $30.5 million in losses due to arbitrage caused by differences in the slippage correction mechanism for adding/removing liquidity.

On May 5, Value DeFi, a machine gun pool project, was attacked with a loss of $10 million due to the potential for conflicts in the protocol portfolio, and again two days later with a loss of $11 million

On May 16, the machine gun pool project bEarnFi was attacked, losing $18 million due to a price calculation problem in the strategy contract extraction logic that led to arbitrage.

On May 20, PancakeBunny was attacked by Lightning Lending, with losses of approximately $45 million due to arbitrage caused by a price calculation issue with LP tokens

On May 23, Bogged Finance was hit by a lightning lending attack, resulting in an arbitrage loss of $3 million due to problems with the destruction/dividend mechanism of transaction fees and the allowance of self-transfers

On May 24, the machine gun pool project AutoShark was attacked by lightning lending, with a loss of $750,000 and a flash crash due to the same risk of arbitrage caused by fork’s PancakeBunny.

On May 26, the Merlin project was attacked, also by fork’s PancakeBunny, causing the same risk of arbitrage and a loss of $6.8 million.

On May 28, BurgerSwap was hit by a lightning lending attack that resulted in arbitrage due to reentry vulnerabilities and architectural issues, with losses of approximately $3.3 million.

On May 28, JulSwap was hit by a lightning lending attack, with the cryptocurrency flash crashing due to a miscalculation of the JulProtocolV2 contract that led to arbitrage by attackers

On May 30, the Belt Finance protocol was attacked by lightning lenders and lost $6.2 million due to arbitrage caused by a manipulable calculation of the beltBUSD price.

Summary

With the development of new EVM-compatible public chain ecology, hackers’ targets have gradually shifted from ethereum to other chains in the DeFi ecology. The attack techniques are all similar, and the attack methods of lightning loans can not only reduce the cost of hacking, but also greatly increase the revenue after a successful attack.

In addition, the recent attacks have also exposed the current fork problem in the DeFi ecosystem. Many projects innovate on the basis of fork to create their own DeFi protocols, but without a deep understanding of the original protocol, many hidden vulnerabilities or risks can be introduced. If the original protocol also has some kind of risk, the scope of that risk will quietly expand, causing a cascading effect and causing more damage.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/taking-stock-of-an-insecure-may-bsc-hacking-review/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-06-04 00:31
Next 2021-06-04 00:34

Related articles