If you look on Etherscan, you can see that there are eight Ethereum-based decentralized exchanges and many more ERC20 tokens, but all of them rely on the same bad code. This isn’t just copying and pasting the same old code over and over. This is copying and pasting the same old code with a few new lines and with no new ideas added. It’s clear that the people who are writing this software have never tried to write secure software before. Blog Post: https://noirds.com/blog/hacked-defi-good-code-for-defi-dont-exist/
Earlier this week, Uranium Finance, a deFi project based on the Binance smart-chain, said it lost $50 million due to an exploit on its platform whose code was largely borrowed from Uniswap, a large decentralized crypto-currency exchange running on the Ethereum blockchain.
The Automated Market Maker (AMM) protocol is a split of Uniswap V2, with the added bonus of daily dividends for its users.
The developers of Uranium have just released version 2 of their contracts, just eleven days before everyone switches to v2.1. The project tweeted about the achievement:
Uranium migration has been used, the next address is 50 million. All that matters is that the money stays at BSC. Please start tweeting this address on Binance immediately and ask for the transfers to stop.
They then turned to the Telegram group for Binance users and developers, Binance Chain (BC) & Binance Smart Chain (BSC) – Developments Discussion Group, for help:
We can only assume that this is a repeat of the project. Anyway, here’s a list of what was stolen:
- 80 Bitcoins (4.3 million dollars)
- 1,800 ETH (4.7 million dollars)
- 17.9 million. BUSD ($17.9 million)
- 5.7 million USD (5.7 million USD)
- 638,000 ADA ($0.8 million)
- 26,500 DOT ($0.8 million).
- 34,000 BNB wrapped ($18 million).
- 112,000 pieces U92
Prior to interacting with Uranium, which was launched earlier this month, the attacker sent a minimal amount of each token to the matched contracts and then used a low-level swap() function, which is a computer programming function that can be used to empty both reserves.
(1/2)‼️ Uranium migration has been used, the next address is 50 million. All that matters is that the money stays at BSC. Tweet this address to Binance immediately and ask them to stop the transfers.
– Uranium Finance (@UraniumFinance) April 28, 2021
In our pools and farms, you will be rewarded in the form of our U92 token, just like on any other DEX [decentralized exchange], Uranium says on its website. The difference is that we created a second token, the U92 counterpart: U235. By holding this token in your portfolio, you will become an investor in our MSA, allowing you to receive dividends in BNB and BUSD at each block.
According to Igor Igamberdiev, an analyst at The Block, the contracts matched in the Uranium V2 release contained a bug that allowed the use of an exploit. To do this, they had everyone interact with the matching contracts, which are smart contracts for trading pairs in MA, and removed all the chips.
The operator used the Uranium exchange feature to withdraw the funds, which were then immediately transferred – $6.4 million, or 2,438 ETH, was withdrawn via Tornado Cash, an Ethereum mixer that allows users to withdraw funds anonymously. First, the hacker traded DOT and ADA tokens for ETH through Pancake, Binance’s decentralized blockchain smart exchange.
The 80 BTC were recorded by the hacker using AnySwap, a fully decentralized inter-chain exchange protocol. Users trade any coin on any blockchain.
Suspiciously, the Uranium Contracts repository has been removed from GitHub. There was no explanation. But with a little research, you can always track down the problematic code.
Kyle Kistner, co-founder of bZx, on the original Sushi repository code that Uranium copied:
Here’s the original sushi depot code that forked Uranium: pic.twitter.com/QKVkpm3KVh
– Kyle 1B TVL Kistner | Fulcrum | bZx (@BeTheb0x) April 28, 2021
And the development code for Uranium:
Here is the code used by the Uranium developers:
See the difference? 1000 is replaced by 10000 in two places, but not at the end. The result? You can trade 1 whey input chips for 98% of your total output chip balance pic.twitter.com/c8pRD55Fe9
– Kyle 1B TVL Kistner | Fulcrum | bZx (@BeTheb0x) April 28, 2021
In short, Uranium Finance was too creative in making loans. At least $57 million was stolen via this exploit, making it DeFi’s second largest exploit after the $59 million EasyFi hack. Earlier this month, Uranium Finance was already plagued by a vulnerability in one of the project’s smart contracts.
Kyle Kistner, co-founder of bzX, pointed out that small changes to the UraniumPair contract had dramatic effects on the behavior of the code. He also notes that the Uranium team was apparently upfront about the performance. If you compare v2 and v2.1, the only change is the removal of the exploit, he tweeted.
To summarize the hack, Ape Developer, ChartEx Pro Core Developer:
Sounds like a $50 million typo, not an interesting hack. Just a costly mistake. This should have been trivial to understand with basic unit tests. You can see in the paging function that they copied the uniswap function (similar comments, same order, same code). Copying excerpts from different journals will yield similar results to this one.
Crypto Shark Guest contribution by ChartEx
With a background in information technology, including software engineering, business intelligence, and infrastructure architecture, CryptoShark took its first steps into the crypto-currency space by mining Ethereum on a surrogate gaming computer, and then developing the popular decentralized ChartEx charting platform. While working in FinTech, he didn’t immediately start using his analytical skills combined with his experience in software development to build tools to analyze trading data from emerging exchanges. This prompted CryptoShark to launch ChartEx, a leading provider of comprehensive candlestick charts and other widely used trading tools for the industry’s largest exchanges.
Read more → read
Gaining an advantage in the crypto asset market
As a paying member of Edge, you have access to a deeper understanding of cryptocurrencies and context in each article.
Join now for $19/month View all benefits
Do you like what you see? Sign up for updates.
This source has been very much helpful in doing our research. Read more about defi boom and let us know what you think.
defi millionairesdefi uniswapsushiswap ammdefi boomuniswap sushiswapyield on bitcoin,People also search for,Privacy settings,How Search works,defi millionaires,defi uniswap,sushiswap amm,defi boom,uniswap sushiswap,yield on bitcoin,defi boom crypto,yield cryptocurrency