Missing line of code leads to $7.2 million exploit of DEX BurgerSwap
May 28, 2021, 7:30AM EDT · 2 min read
- Decentralized exchange BurgerSwap has been exploited for $7.2 million.
- According to Uniswap founder Hayden Adams, it could have easily been avoided.
Yet another DeFi platform has been exploited for millions of dollars. This time, it’s BurgerSwap, a decentralized exchange (DEX) based on Binance Smart Chain.
According to The Block Research’s Igor Igamberdiev, an attacker used flash loans to exploit the protocol for $7.2 million. Flash loans are blockchain-based loans where large amounts of tokens are borrowed, used for some purpose and repaid — all in the same transaction.
But the attack was only possible because the exchange was missing a key line of code, one that it should have had, according to Hayden Adams, founder of the decentralized exchange Uniswap. Adams tweeted today that BurgerSwap was based on Uniswap’s V2 code but a specific line of code had been removed, "so core could very trivially be drained."
As a result, the perpetrator was able to use the protocol to make two transactions when they should only have been able to make one. So, in one example, when they borrowed 6,000 wrapped BNB (WBNB), they were able to use the tokens to turn them into 8,800 WBNB (something the protocol should have prevented). After repaying the loan, they were left with a stash of remaining tokens.
This same attack was used multiple times in 14 transactions to steal a range of tokens, including WBNB, ether (ETH), two stablecoins and a large stash of Burger Swap tokens (BURGER).
“The current total loss is around $7 million and we will strive to cover all your loss,” BurgerSwap tweeted today, adding, “We understand what the community cares about the most. Detailed compensation plan is on the way.”
According to Igamberdiev, the hacker has started using the Nerve protocol to sell the tokens and transfer them across to the Ethereum blockchain.
This exploit comes just over a week after Binance Smart Chain-based DeFi protocol Bunny Finance was exploited and saw $45 million drained from its ecosystem. In March, yield farming pool Meerkat Finance, also on Binance Smart Chain, was lost $31 million — in what may have been a rug pull.
© 2021 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.