Binance Smart Chain DeFi project BurgerSwap hacked for $7 million
Decentralized finance platform BurgerSwap lost over $7.2 million worth of BNB, ETH, BURGER, other tokens to a flash loan attack.
BurgerSwap, a decentralized finance (DeFi) platform based on smart contracts network Binance Smart Chain (BSC), fell victim to a so-called flash loan attack today, allowing the malicious actor to get away with roughly $7.2 million worth of tokens.
Another day, another DeFi hacked
“BurgerSwap Flash Loan Attack Details: At around 3 am on May 28th (UTC+8) #BurgerSwap on the BSC chain encountered a flash loan attack; $7.2M was stolen from #BurgerSwap in 14 transactions,” the project tweeted.
1/9
BurgerSwap Flash Loan Attack Details:
At around 3 am on May 28th (UTC+8) #BurgerSwap on the BSC chain encountered a flash loan attack; $7.2M was stolen from #BurgerSwap in 14 transactions;
— BurgerSwap (@burger_swap) May 28, 2021
According to BurgerSwap, the hacker(s) created their own “fake coin”—which can be done by anyone on BSC—and used it to form a trading pair with the platform’s BURGER token.
“By adjusting the routing, the attacker created $BURGER -> Fake Coin -> $WBNB routing; through $BURGER -> Fake Coin trading pair, attacker re-entered BurgerSwap through Fake Coin & manipulated a number of reserve0 and reserve1 in the pair’s contract, causing the price to change,” the developers explained.
Then, the attacker took a flash loan of 6,000 Binance Coin (BNB) from PancakeSwap, another BSC-based DeFi platform, and swapped the funds for 92,000 BURGER tokens. After that, they added 100 “fake tokens” and 45,000 BURGER to a liquidity pool and used it to exchange the “fake tokens” for 4,400 BNB.
5/9
Using WBNB as an example to illustrate the details of the attacks:
(1) Attacker flash swapped 6,000 $WBNB ($2M) from PancakeSwap;
(2) Then swapped almost all $WBNB to 92,000 $BURGER on BurgerSwap; pic.twitter.com/48kN4opI3z— BurgerSwap (@burger_swap) May 28, 2021
“Because of reentrancy in time of transfer fake token, the attacker did another swap from 45k $BURGER to 4.4k $WBNB. In total attacker received 8,800 $WBNB in the two latest steps,” the platform noted, adding that the hacker then “Swapped 493 $WBNB to around $108,700 BURGER on BurgerSwap” and repaid the flash loan.
Flash boys
Overall, the attacker reportedly managed to steal 4,400 BNB (worth around $1.6 million), 22,000 BUSD and 1.4 million USDT stablecoins, 2.5 Ethereum ($6,800), 432,000 BURGER ($3.2 million), and 142,000 xBURGER ($1 million)—for a total of over $7.2 million.
As CryptoSlate previously reported, a similar attack was recently conducted on Pancake Bunny, yet another DeFi platform in the BSC ecosystem.
Following the exploit, the project’s BUNNY token plummeted, losing over 90% of its price, while the hacker nabbed approximately $45 million of tokens.