Missing line of code leads to $7.2 million exploit of DEX BurgerSwap

Quick Take

  • Decentralized exchange BurgerSwap has been exploited for $7.2 million.
  • According to Uniswap founder Hayden Adams, it could have easily been avoided.
advertisement

Yet another DeFi platform has been exploited for millions of dollars. This time, it’s BurgerSwap, a decentralized exchange (DEX) based on Binance Smart Chain. 

According to The Block Research’s Igor Igamberdiev, an attacker used flash loans to exploit the protocol for $7.2 million. Flash loans are blockchain-based loans where large amounts of tokens are borrowed, used for some purpose and repaid — all in the same transaction.

But the attack was only possible because the exchange was missing a key line of code, one that it should have had, according to Hayden Adams, founder of the decentralized exchange Uniswap. Adams tweeted today that BurgerSwap was based on Uniswap’s V2 code but a specific line of code had been removed, "so core could very trivially be drained."

As a result, the perpetrator was able to use the protocol to make two transactions when they should only have been able to make one. So, in one example, when they borrowed 6,000 wrapped BNB (WBNB), they were able to use the tokens to turn them into 8,800 WBNB (something the protocol should have prevented). After repaying the loan, they were left with a stash of remaining tokens.

This same attack was used multiple times in 14 transactions to steal a range of tokens, including WBNB, ether (ETH), two stablecoins and a large stash of Burger Swap tokens (BURGER).

“The current total loss is around $7 million and we will strive to cover all your loss,” BurgerSwap tweeted today, adding, “We understand what the community cares about the most. Detailed compensation plan is on the way.”

According to Igamberdiev, the hacker has started using the Nerve protocol to sell the tokens and transfer them across to the Ethereum blockchain.

This exploit comes just over a week after Binance Smart Chain-based DeFi protocol Bunny Finance was exploited and saw $45 million drained from its ecosystem. In March, yield farming pool Meerkat Finance, also on Binance Smart Chain, was lost $31 million — in what may have been a rug pull.


© 2021 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Related Reading

Get Your Crypto
Daily Brief

Delivered daily, straight to your inbox.

Layer-1 Platforms: A Framework for Comparison

The Block Research was commissioned by Algorand to create Layer-1 Platforms: A Framework for comparison, which provides a “look under the hood” at seven platforms: Algorand, Avalanche, Binance Smart Chain, Cosmos, Ethereum/Ethereum 2.0, Polkadot, and Solana. We assess their technical design, related ecosystem data, and qualitative factors such as key ecosystem members to get an understanding of how they differ. Having done this analysis, we draw some insights for what the future of the broader smart contract landscape could look like for years to come. 
Read Full Story
Aug 11, 2021, 5:18PM UTC
More