- BurgerSwap was hit by a flash loan attack last night. The losses amount to roughly $7.2 million.
- Uniswap founder Hayden Adams noted that a key part of the code was changed by the BurgerSwap team, raising suspicions of an inside job.
- Incidents on Binance Smart Chain have multiplied in recent weeks resulting in tens of millions in lost user funds.
Share this article
Another Binance Smart Chain app has suffered a flash loan attack. More than $7 million of users’ funds was drained from BurgerSwap last night.
BurgerSwap Suffers Attack
Flash loan attackers are increasingly targeting Binance Smart Chain applications. This time, it was Uniswap clone BurgerSwap that got exploited. Last night, an attacker borrowed funds from PancakeSwap to unbalance the liquidity pools on BurgerSwapm then emptied them before returning the loan.
BurgerSwap posted a breakdown of the incident on Twitter earlier this morning.
BurgerSwap Flash Loan Attack Details:
— BurgerSwap (@burger_swap) May 28, 2021
The attack was worth roughly $7.2 million. Some of the funds are now on the Ethereum blockchain, while some BURGER tokens have been left on Binance Smart Chain. BurgerSwap is one of Binance Smart Chain’s leading applications. It was launched last year and has similar code to Uniswap’s V2. However, as Uniswap founder Hayden Adams noted, BurgerSwap’s code misses out a crucial line responsible for securing its liquidity pools. Adams reacted to the attack by noting that the pools were very susceptible to this type of flash loan attack without the line of code before adding “iWoNDerWhYTHeyDiDtHAt.”
This thread sounds complicated. Here’s what happened very simply.
Uniswap v2 fork removed the only line that enforces x*y=k from core:
So core could very trivially be drained.