Uranium Finance, a DeFi project that labels itself the “daily AMM dividend AMM on Binance Smart Chain,” has suffered a large-scale security breach.
According to a team update, the attackers hijacked a plan to migrate Uranium’s liquidity provider (LP) tokens to a new V2.1. The migration was said to be in response to an increased usage of the protocol and a milestone integration with the leading DeFi aggregator, 1inch.
However, the attack intercepted the LP token migration and is trying to make way with roughly $50 million worth of BNB and BUSD tokens. At the time of writing, the address still holds roughly $19 million worth of BNB and $17 million worth of BUSD.
Additionally, the hacker has already begun moving $2.1 million worth of ETH acquired from the attack, obfuscating it using the popular privacy-focused wallet, Tornado Cash. The funds are being moved in batches of 100 ETH.
Although a port-mortem report could possibly provide more information, Uranium Finance claims to have gotten in touch with the Binance security team to help hunt down the exploiter.
Rug Pulls on Uranium Finance
This is the second alleged high-profile security breach on the BSC-based project, with the frequent recurrence raising doubts by users that the developers might be behind the incidents.
Following the initial incident, a Medium article read
“We have learnt from our missteps in V1, and have made the security and reliability of both our contracts and web infrastructure our highest priority.”
Uranium claimed that a supposedly talented white-hat and code auditor, HyperJump, had reviewed its smart contracts. According to a post-mortem report, $1 million in BUSD was recovered from the initial exploit following conversations with the exploiter.
A member of HyperJump dev team who spoke with Coinfomania on the condition of anonymity noted that “Hyperjump was not asked to audit the AMM contracts that were exploited and did indeed ensure there was no migrator before issuing a badge.” Sentiments shared by other industry observers about the incident also suggest it might have been a ‘rug pull.’
In a similar recent report, Coinfomania reported that another DeFi-protocol, EasyFi Network, lost $55 million to a Metamask admin key hack.
Update: This article has been updated to include comments from an Anon HyperJump co-founder regarding the incident.
Affiliate: Get a Ledger Nano X for $119 So That Hackers Won't Steal Your Crypto!