The Belt Finance platform, which provides automated market making for decentralized finance (DeFi), was hacked through a flash credit attack, resulting in the theft of $ 6.23 million. The hacker withdrew money from the platform using eight transactions. They were converted to ETH using DEX 1inch and partially withdrawn from the Binance Smart Chain to the Ethereum network.
This incident represents yet another attack on the DeFi protocol built on top of the Binance Smart Chain. This hack was relatively small, since the attacker managed to embezzle only $ 6.2 million of the huge $ 2.6 billion blocked in Belt Finance. Note that the price of the BELT token has dropped by 27.6% over the past 24 hours.
Hacker used Elipsis strategy of Belt BUSD storage
The BeltBUSD vault uses four strategies, and the leaked funds were due to an error in the Elipsis strategy. Apparently, by buying and selling BUSD, the attacker manipulated its price using a bug in calculating the balance of the bEllipsisBUSD strategy.
According to experts, the attacker borrowed $ 385 million in BUSD on the PancakeSwap platform. After that, he deposited $ 10 million in the bEllipsisBUSD strategy.
The hacker leveraged $ 187 million in BUSD for the bVenusBUSD strategy and repeated these steps more than seven times. Then he exchanged $ 190 million in BUSD for $ 169 million in USDT through the Ellipsis platform.
After that, the attacker withdrew BUSD from the bVenusBUSD strategy and exchanged $ 169 million in USDT for $ 189 million in BUSD using the Ellipsis platform. Then he deposited BUSD into the bVenusBUSD strategy.
Finally, the hacker repaid the instant loans and withdrew the profits.
Thus, the hacker repeated the transaction several times, making a profit of $ 6.2 million and causing a total loss of $ 13 million, since $ 6 million in commissions paid to the 3EPS pool.
BeltUSD price depends on the sum of balances of all strategies on the platform. Hence, manipulating these strategies means being able to influence the price of the Belt Finance platform asset.
BeltBUSD users suffered a 21.36% loss of funds, while 4Belt users suffered a 5.51% loss of funds. No other pools harmed.
Withdrawal of funds is suspended
The project reported that the withdrawal and replenishment of funds suspended, and the discovered vulnerability fixed.
In a regular announcement, Belt Finance announced that withdrawals and deposits will resume in approximately the next 24-48 hours. The project is currently working on a compensation plan that will be submitted within the next 48 hours.
As a result, flash loan led to an increase in wantTotalLocked in the Ellipsis strategy, and MultiVault withdrew funds with a higher value than the actual volume of assets. This was the root of the exploit.
Unfortunately, this is not the first such situation for the Binance Smart Chain ecosystem in recent weeks.