The bad player behind the infamous hack of the Uranium Finance protocol has now moved the second batch of stolen funds worth over $4.8 million into the decentralized privacy protocol Tornado Cash.
Uranium Finance is a decentralized finance (DeFi) protocol built on the BNB Chain. It functions as an automated market maker (AMM) project. Holders of its native cryptocurrency, URF, are eligible for several benefits on its platform.
Two-Year-Old Hack
The Uranium hack dates back to April 2021, when an attacker interrupted a liquidity token migration to V2.1. Uranium had intended to switch to V2.1 to support its increased user base. The hacker successfully pocketed a profit of about $50 million worth of assets after the attack. At that time, part of the funds had been moved to Tornado Cash.
The wallets tied to the bad actor remained dormant for about two years. On March 7, 2023, the hacker woke from slumber and moved $3.35 million worth of assets into the privacy protocol.
On-chain data shows that the Ethereum wallet involved in the latest $4.8 million fund transfer has a current wallet balance of only 18 ETH.
A Suspected Rug Pull Attack
Investors suspect the exploit was a rug pull and not a security breach. A rug pull occurs when a project’s developer team attracts users and their money through public engagements, to escape with their invested funds after a short while.
Uranium, however, claimed to be innocent of all such allegations. The project published a message to its community a day after the funds’ theft, urging them to pull their funds from the protocol. Since then, all public appearances of the DeFi protocol have been shut down.
Meanwhile, DeFi protocol attacks are constantly on the rise. Yesterday, lending protocol Euler Finance lost nearly $200 million to a massive security breach. It brought the crypto lending project in line with the biggest crypto hacks in history, trailing Axie Infinity’s $625 million and Nomad’s $200 million attacks.
