A hacker has exploited a vulnerability on the BNB Chain, the blockchain platform of Binance, the world’s largest cryptocurrency exchange. The hacker used a flash loan, a type of uncollateralized loan in decentralized finance (DeFi), to manipulate the price of a token and steal $1.27 million in a single transaction.
The attack occurred on Wednesday, October 11, on the Pancakeswap BH/USDT trading pair. Pancakeswap is a popular decentralized exchange (DEX) that runs on the BNB Chain. The hacker borrowed a large amount of USDT, a stablecoin pegged to the US dollar, from another DEX and used it to buy BH tokens, a native token of the Binance ecosystem.
$BH token on BNB Chain was exploited for ~$1.27M due to suspected price manipulation. The profits were sent into Tornado Cash.
Attacker: 0xFDbfcEEa1de360364084a6F37C9cdb7AaeA63464The attacker flashloaned a large amount of $USDT, then called 0x33688938() to add $USDT to the… pic.twitter.com/POppQswi7u
— Beosin Alert (@BeosinAlert) October 11, 2023
Another Flash Loan Exploit Hits the Market
This caused the price of BH to surge artificially, creating an arbitrage opportunity. The hacker then sold the BH tokens for USDT at a higher price on Pancakeswap and repaid the flash loan within the same block. The hacker made a profit of $1.575 million with an initial investment of only $4.16.
The hacker then transferred the stolen funds to Tornado Cash, a privacy-preserving service that mixes Ether transactions to hide their origin and destination. This makes it difficult to trace the hacker and recover the funds.
This is not the first time that flash loan attacks have occurred in DeFi. In April, Aave, another leading DeFi platform, lost $10 million in a similar attack. Earlier today, Platypus, another Defi platform also reported an attack. Flash loan attacks exploit the vulnerabilities of DeFi protocols, oracles, and liquidity pools to manipulate prices and execute arbitrage trades.
Flash loans are a novel feature of DeFi that allows users to borrow assets without collateral as long as they repay them within one block. This enables users to access large amounts of capital for various purposes, such as arbitrage, liquidation, or collateral swapping. However, flash loans also pose significant risks to the security and stability of DeFi platforms and users.
The BNB Chain exploit is a reminder of the need for more robust security measures and regulations in DeFi. The BNB Chain team has not yet commented on the incident or announced any measures to prevent future attacks.
