The BUSD was stolen in 8 transactions, converted into 2680 any ETH, and partially pulled to Ethereum through 1inch V3. 1463 ETH remains in the cross-chain bridge.
The Belt Finance team tweeted:
(True number will be announced shortly ). We’re now analyzing and adjusting our contract for security. Compensation plan and injury report will be up shortly. Withdraw of BSC vaults will be stopped until contract update is complete.
Which Are Flash Loan Attacks?
Flash loans are a new kind of loan uncollateralized and managed by clever contracts created by DeFi lending protocol, Aave. DeFi strikes like Flash Loan strikes happen when the attacker chooses a flash out loan from lending protocol and utilizes multiple gimmicks happening at precisely the same time to manipulate the market to work in their favor.
These attacks may take just seconds and still demand four or more DeFi protocols. These strikes are the most common as they are easy to pull off and eliminate. With DeFi’s surging popularity because 2020, flash loan attacks are increasing in number, with losses up to hundred million bucks.
Evaluation Of The Belt Finance Attacks
BSC’s projects are a goal of flash loan attacks, with Belt Finance being the most recent target. Research analyst Igor Igamberdiev (@FrankResearcher on Twitter) shared a comprehensive analysis of the assault via Twitter. The strikes started with each trade having eight flash loans of $385M BUSD out of PancakeSwap.
The attacker subsequently deposited 10M BUSD into bEllipsisBUSD strategy for the first trade, becoming the’Most Beautiful Strategy.’ Still another 187M BUSD has been deposited into bVenusBUSD strategy (‘Most Beautiful Strategy.’)
The attacker then swapped 190M BUSD into 169M USDT via Ellipsis and hauled more BUSD out of bVenusBUSD strategy (‘Many Overlooked Strategy’). Observing this, 169M USDT was subsequently swapped to 189M BUSD via Ellipsis, with more BUSD deposited into bVenusBUSD strategy (‘Most Beautiful Strategy.’) . These steps were over seven times.
Upon ending the rep, the attacker repaid the flash loans and withdrew the gain. Igamberdiev notes which the belt BUSD cost depends on the sum of the accounts of vault strategies. The vault residue of BUSD are made into the Most Beautiful Strategy and withdrawn from the Most Overlooked Strategy.
He adds,
“In concept, repeated actions won’t make a profit because the amount of resources does not change. But if there’s a means to manipulate different strategies, it’s possible to manipulate the beltBUSD cost. Apparently, by purchasing and selling BUSD, the attacker manipulated this cost with a bug in the bEllipsisBUSD strategy equilibrium calculations.
The stolen BUSD was switched into 2680 ETH via 1inch v3. It had been partially withdrawn to Ethereum, while 1463 ETH is still moving away from the cross-chain bridge. Belt Finance tweeted an update stating,
“We are focusing on figuring out how the 4Belt situation at this time. BeltBTC,beltETH,beltBNB are ok. We’ll make an announcement shortly about how we are/will be moving forward. Withdrawals are temporarily paused.
PancakeBunny and BurgerSwap are just two other projects on BSC that endured flash loan attacks. PancakeBunny Finance lost 690,000 BUNNY tokens which were sold to ETH and BNB. The token lost 95.5% in its overall evaluation.
BurgerSwap lost $7.2 million on 14 transactions and has suspended Swap and BURGER generation to stop additional losses. The team is investigating the situation and looking for a solution now; BurgerSwap will publish details shortly.
BSC has called for all dApps to take the essential actions to stop additional attacks by working with audit companies and performing health checks. Forked projects are requested to triple-check their changes from original versions.
The use of risk control measures to consciously monitor anomalies in real time, pausing protocols if abnormalities occur, planning a contingency plan for worst-case scenarios, and establishing bounty programs by respective projects or on ImmuneFi are a few of the steps BSC has asked.
It is not provided or intended to be utilized as legal, tax, investment, financial, or other information.
