Another Binance Smart Chain project was exploited by a flash loan attack, with DeFi platform BurgerSwap being the victim this time. According to a twitter post written by the Burgerswap Team, there were approximately $7.2 million in funds lost from the exploit.
https://twitter.com/burger_swap/status/1398092048343908359
What Exactly Are Flash Loans?
Flash loans, which are blockchain-based loans where tokens can be borrowed, have certain unique properties that are different from more traditional loans. Firstly, they use smart contracts, where the borrower must pay back the loan before the transaction ends, or the smart contract cancels or reverts the transaction.
Moreover, there is no collateral required for flash loans. Rather, the borrower must pay back when the flash loan is settled — which is often instantaneous. Thus, the borrower needs to rely on several other smart contracts to perform trades with the loaned funds before the transaction is settled.
BurgerSwap’s Key Mistake
While exploits using flash loans have become a recurring theme, the attack was only possible because the platform was missing a crucial line of code. According to founder of UniSwap Hayden Adams, BurgerSwap was based on Uniswap V2’s code, but a specific line had been removed, rendering the platform to be “drained.”
This thread sounds complicated. Here's what happened very simply.
Uniswap v2 fork removed the only line that enforces x*y=k from core:
So core could very trivially be drained.
This is the line that was removed:https://t.co/iN3nc1xMTm
iWoNDerWhYTHeyDiDtHAt https://t.co/B9TN3KP25U
— hayden.eth 🦄 (@haydenzadams) May 28, 2021
Due to the single missing line of code, the exploiters could make two separate transactions when in reality they should have been able to make one. This tricked Burgerswap’s protocol into closing a single transaction, leaving the borrower to keep the pool of leftover funds.
The same exploit was used on 14 different transactions, stealing a range of tokens including Wrapped Binance Coin (WBNB), Ethereum (ETH), and Burger Swap (BURGER).
“The current total loss is around $7 million and we will strive to cover all your loss,” BurgerSwap tweeted earlier today. “We understand what the community cares about the most. Detailed compensation plan is on the way.”
Featured image from UnSplash