DeFi hacks on Binance Smart Chain continue as ‘Impossible Finance’ drained for $500k
Impossible Finance suffered a $500,000 loss in the latest DeFi exploit.
A flash loan attack is a common type of DeFi exploits in which hackers take an uncollateralized loan from a lending protocol and through a series of technical maneuvers manipulate the market in their favor.
The attack on the Impossible Finance liquidity pool happened on June 21 and resulted in a loss of 229.84 Ethereum (ETH), valued $500.000 at the time of the exploit.
By using a fake token, hackers launched a flash loan attack to exhaust the protocol’s liquidity pool.
Auditing service WatchPug explained that the attack involved consecutive swaps at about the same price, draining the liquidity pool, “which is usually impossible.”
At 4 AM UTC, Jun 21, $0.5M was stolen from Impossible Finance.
The hacker made multiple swaps in a row at about the same price and drained the LP, which is usually impossible.
How does Impossible Finance make the impossible possible?
Read our analysis:https://t.co/3r0p1dOFWz
— WatchPug (@WatchPug_) June 21, 2021
A vulnerability in the pool’s smart contract enabled multiple swaps of the protocol’s native Impossible Finance token (IF) to Binance USD stablecoin (BUSD) and then to the native coin of Binance Chain, Binance Coin (BNB).
According to Mudit Gupta, a core developer of SushiSwap, the hack design wasn’t that innovative, and it exploiting a similar vulnerability as the recent attack on BurgerSwap protocol, also built on the Binance Smart Chain, in which $7.2 million was stolen.
Impossible finance got exploited today for $500k.https://t.co/mzCPRluOjn
Same exploit as the burger swap one:https://t.co/3PkVtn7Hi7
If the original project gets hacked, why don't the forks react?
— Mudit Gupta (@Mudit__Gupta) June 21, 2021
Impossible Finance published a report on the incident through the official announcement channel and said it had prepared an insurance fund.
The project announced all user funds deposited into liquidity pools prior to the attack will be 100% compensated, meanwhile, all liquidity pool rewards are paused and users are advised not to add or withdraw funds for IF/BUSD and IF/BNB pairs.
Copycat? Serial? The space is yet to profile all the DeFi predators out there.