Uranium Finance, a DeFi project that labels itself as the “daily AMM dividends AMM on Binance Smart Chain” has suffered a large-scale security breach.
According to a team update, attackers hijacked a plan to migrate Uranium’s liquidity provider (LP) tokens to a new V2.1. The migration was said to be in response to an increased usage of the protocol and a milestone integration with the leading DeFi aggregator, 1inch.
However, attacked intercepted the LP token migration and is trying to make way with roughly $50 million worth of BNB and BUSD tokens. At the time of writing, the address still holds roughly $19 million worth of BNB and $17 million worth of BUSD.
Additionally, the hacker has already begun moving $2.1 million worth of ETH acquired from the attack, obfuscating it using the popular privacy-focused wallet, Tornado Cash. The funds are being moved in batches of 100 ETH.
Although a port-mortem report will possibly provide more information, Uranium Finance claims to have gotten in touch with the Binance security team to help hunt down the exploiter
Rug Pulls on Uranium Finance
This is the second alleged high-profile security breach on the BSC-based project, with the frequent recurrence raising doubts by users that the developers might be behind the incidents.
Following the initial incident, a Medium article read
“We have learnt from our missteps in V1, and have made the security and reliability of both our contracts and web infrastructure our highest priority.”
A supposedly talented whitehat and code auditor, HyperJump had reviewed the Uranium Finance code, which included the ‘migration’ function. According to a post-mortem report, $1 million in BUSD was recovered from the initial exploit following conversations with the exploiter.
In a similar recent report, Coinfomania reported that another DeFi-protocol, EasyFi Network, lost $55 million to a Metamask admin key hack.
Affiliate: Get a Ledger Nano X for $119 So That Hackers Won’t Steal Your Crypto!