Belt Finance, an AMM protocol incorporating multi-strategy yield optimization on Binance Smart Chain (BSC), has suffered a flash loan attack with losses amounting to $6.2 Million. The BUSD was stolen in 8 transactions, converted to 2680 anyETH, and partially withdrawn to Ethereum through 1inch V3. 1463 ETH remains in the cross-chain bridge.
The Belt Finance team tweeted:
"Partial funds of our 4Belt pool have been affected. (Accurate amount will be announced soon). We are now analyzing and fixing our contract for safety. Compensation plan and accident report will be up soon. Withdraw of BSC vaults will be paused until contract upgrade is complete."
What Are Flash Loan Attacks?
Flash loans are a new type of loan uncollateralized and administered by smart contracts developed by DeFi lending protocol, Aave. DeFi attacks such as Flash Loan attacks happen when the attacker takes out a flash loan from lending protocol and uses multiple gimmicks occurring at the same time to manipulate the market to work in their favor.
These attacks can take only seconds and still involve four or more DeFi protocols. These attacks are the most common as they are easy to pull off and get away with. With DeFi's surging popularity since 2020, flash loan attacks are increasing in number, with losses up to hundred million dollars.
Analysis Of The Belt Finance Attacks
BSC's projects have been a target of flash loan attacks, with Belt Finance being the latest target. Research analyst Igor Igamberdiev (@FrankResearcher on Twitter) shared a detailed analysis of the attack via Twitter. The attacks began with each transaction having eight flash loans of $385M BUSD from PancakeSwap.
The attacker then deposited 10M BUSD in bEllipsisBUSD strategy for the first transaction, becoming the 'Most Insufficient Strategy.' Another 187M BUSD was deposited to bVenusBUSD strategy ('Most Insufficient Strategy.')
The attacker then swapped 190M BUSD to 169M USDT through Ellipsis and withdrew more BUSD from bVenusBUSD strategy ('Most Overlooked Strategy'). Following this, 169M USDT was then swapped to 189M BUSD through Ellipsis, with more BUSD deposited to bVenusBUSD strategy ('Most Insufficient Strategy.'). These steps were over seven times.
Upon ending the repetition, the attacker repaid the flash loans and withdrew the profit. Igamberdiev notes that the beltBUSD price depends on the sum of the balances of all vault strategies. The vault deposits of BUSD are made to the Most Insufficient Strategy and withdrawn from the Most Overlooked Strategy.
He further adds,
"In theory, repeated actions will not make a profit since the number of assets does not change. However, if there is a way to manipulate other strategies, it is possible to manipulate the beltBUSD price. Apparently, by buying and selling BUSD, the attacker manipulated this price with a bug in the bEllipsisBUSD strategy balance calculations."
The stolen BUSD was converted to 2680 anyETH through 1inch v3. It was partially withdrawn to Ethereum, while 1463 ETH is still moving away from the cross-chain bridge. Belt Finance tweeted an update saying,
"We're working on figuring out the 4Belt situation right now. beltBTC,beltETH,beltBNB are ok. We will make an announcement soon about how we are/will be going forward. Withdrawals are temporarily paused."
A Series Of Unfortunate Attacks
PancakeBunny and BurgerSwap are two other projects on BSC that suffered flash loan attacks. PancakeBunny Finance lost 690,000 BUNNY tokens which were sold into ETH and BNB. The token lost 95.5% in its overall evaluation.
BurgerSwap lost $7.2 million over 14 transactions and has suspended Swap and BURGER generation to prevent further losses. The team is investigating the situation and looking for a solution currently; BurgerSwap will publish details soon.
BSC has called for all dApps to take the necessary action to prevent further attacks by working with audit companies and performing health checks. Forked projects have been asked to triple-check their changes from original versions.
The application of risk control measures to actively monitor anomalies in real-time, pausing protocols if abnormalities occur, planning a contingency plan for worst-case scenarios, and setting up bounty programs by respective projects or on ImmuneFi are some of the measures BSC has requested.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.