The controversial Binance Smart Chain is back on the news. Apparently, the Dapps it hosts have been the target of eight flash loan hacks in the last few days. Unofficially, it’s rumored that the amount lost is close to a whopping one billion dollars. Binance thinks “well organized hackers are targeting BSC now.” Twitter is skeptical, but that comes as no surprise.
There are >8 #flashloan hacks recently, we believe, an well organized hackers are targeting #BSC now. It is very challenging time for the BSC communty. We are calling for the actions for all the #dapps:
— Binance Smart Chain (@BinanceChain) May 30, 2021
A call to action for all Daaps on the BSC
If the Binance Smart Chain is centralized, can’t they just take care of the problem themselves? That’s the main advantage of a centralized operation. Also, can the projects they host really be called Daaps? That’s a question for another day. For now, Binance is calling for said projects to do the following:
Work with your audit companies to do another health check. If you are forked projects, please double and triple check your changes from the original version.
Apply necessary risk control measures to actively monitor any anomaly in a real-time manner and pause the protocol if any anomaly indeed occurs.
Plan a contingency plan for the worst case if (a hack is) really happening.
Setup your own bounty program or on the immunefi if possible.
They’re also offering free consultations from blockchain security companies PeckShield and CertiK Security Leaderboard.
Related Reading | Crypto Lending Has Become a Pillar of the Cryptosphere
BNB price chart on Binance | Source: BNB/USDT on TradingView.com
How Do Flash Loan Hacks Work?
The DeFi world is the wild wild west right now. That’s one of the reasons it’s exciting, fast, and fun. There are a lot of risks involved, though, both for the users and for the developers. This particular hack targets the latter, and it uses one of DeFi’s defining services to do so.
1⃣ The hacker used PancakeSwap to borrow a huge amount of BNB
2⃣ The hacker then went on to manipuate the price of USDT/BNB as well as BUNNY/BNB
3⃣ The hacker ended up getting a huge amount of BUNNY through this flash loan
— pancakebunny.finance (@PancakeBunnyFin) May 20, 2021
Basically, flash loans allow users to borrow large quantities of assets from an “on-chain liquidity pool,” which they have to return within the same transaction. They pay a low fee, and everyone is happy. The problem is, those large quantities of assets can be used to “manipulate the market with one large trade.”
So, “protocols that use a blockchain-based decentralized exchange (DEX) as the protocol’s sole price oracle” are at risk. Attackers just have to get a flash loan in one token and swap it for another on the DEX, thus manipulating both prices, one goes up and the other down. Then, they go to their target protocol and use the second token to borrow an even larger quantity of the first token. With that, they pay their loan, pocket the difference, and wait for the market to correct the manipulated price.
Chainlink explains this further, the attackers were:
… able to raise the reported value of the token used as collateral and lower the reported value of the token used as debt. This allowed the attacker to borrow more funds than they should have been able to, creating a toxic position that cannot be fully liquidated, as the collateral became worth less than the debt.
Related Reading | This Ongoing Bitcoin Wallet Hack Has Stolen $22 Million In BTC
Could the hacks be rug pulls?
The skeptical Twitter community has another theory. There are no proofs to support this, but they think that the projects were scams to begin with. And that they’re masquerading their rug pulls as a hack. Binance Academy explains this concept while teaching users how to spot a scam:
If the project team is providing a good portion of the liquidity for the market pair on the AMM, they can just as well remove it and dump the tokens on the market. This typically results in the token price essentially going to zero. As there basically isn’t a market left to sell in, this is often called a rug pull.
AMM refers to Automatic Market Makers, that is services like Uniswap or PancakeSwap. So, could the recent incidents be rug pulls disguised as hacks? It’s certainly a simpler explanation.
Some of the hacked projects, however, are offering their users a compensation package.
The story is still developing. Bitcoinist will keep its eye on it.
Featured Image by Daniel Thomas on Unsplash - Charts by TradingView