Binance Smart Chain-based DeFi project Uranium Finance exploited, lost $50 million

Quick Take

  • Uranium Finance, a Binance Smart Chain-based DeFi project, says it suffered exploitation early Wednesday and lost $50 million.
  • This could be an insider job or a rug pull, according to The Block Research’s Igor Igamberdiev.

Uranium Finance, a Binance Smart Chain-based decentralized finance (DeFi) project, says it suffered exploitation early Wednesday and lost $50 million.

Several tokens, including bitcoin and ether, were drained from the Uranium protocol, according to The Block Research's Igor Igamberdiev.

Specifically, 80 bitcoin ($4.3 million), 1,800 ETH ($4.7 million), 17.9 million BUSD ($17.9 million), 5.7 million USDT ($5.7 million), 638,000 ADA ($0.8 million), 26,500 DOT ($0.8 million), 34,000 wrapped BNB ($18 million), and 112,000 U92 tokens, a native token of Uranium, were drained.

Uranium, which was launched this month, said the exploitation took place during the migration of its protocol to the V2.1 version.

Uranium is an automated market maker (AMM) protocol, forked from Uniswap V2, and claims to give daily dividends to its users.

"In our pools and farms, you're rewarded with our U92 token, like every other DEX [decentralized exchange]. The difference is that we have created a second token, the U92 counterpart : U235. Holding this token on your wallet makes you an investor of our AMM, making you earn dividends in BNB and BUSD every block," reads Uranium's website.

It is not clear what exactly went wrong amid migration, but according to Igamberdiev, pair contracts in Uranium's V2 version had a bug.

Due to this bug, anyone could interact with the pair contracts and withdraw almost all tokens. (Pair contracts are smart contracts for special pairs in an AMM, say, for example, WETH-USDC).

Essentially, the bug allowed the exploiter to use a swap function in Uranium to drain the funds.

The exploiter has already started moving and withdrawing funds. About $6.4 million or 2,438 ETH have been withdrawn via Tornado Cash, an Ethereum mixer based on zero-knowledge proofs technology that lets users withdraw funds anonymously.

The exploiter first swapped DOT and ADA tokens to ETH via Binance Smart Chain-based decentralized exchange PancakeSwap. Then they swapped the BSC version of ETH to the Ethereum version of ETH via AnySwap, a cross-chain swap protocol.

All 80 bitcoin have also been withdrawn by the exploiter using AnySwap.

This could be an insider job or a rug pull, according to Igamberdiev, because Uranium's V2 version had a bug, and its team did not perform a white-hat attack before the migration to the V2.1 version.

The Uranium contracts repository has also been removed from GitHub for some unknown reasons.

The Block has reached out to Uranium for comments and will update this story should we hear back.


© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

AUTHOR

Yogita Khatri is a senior reporter at The Block and the author of The Funding newsletter. As our longest-serving editorial member, Yogita has been instrumental in breaking numerous stories, exclusives and scoops. With over 3,000 articles to her name, Yogita is The Block's most-published and most-read author of all time. Before joining The Block, Yogita wrote for CoinDesk and The Economic Times. You can reach her at [email protected] or follow her latest updates on X at @Yogita_Khatri5.

See More
Connect on

WHO WE ARE

The Block is a news provider that strives to be the first and final word on digital assets news, research, and data.

+ Follow us on Google News
Connect with the block on