Binance Smart Chain-based DeFi project Uranium Finance exploited, lost $50 million

Uranium Finance, a Binance Smart Chain-based decentralized finance (DeFi) project, says it suffered exploitation early Wednesday and lost $50 million.

Several tokens, including bitcoin and ether, were drained from the Uranium protocol, according to The Block Research's Igor Igamberdiev.

Specifically, 80 bitcoin ($4.3 million), 1,800 ETH ($4.7 million), 17.9 million BUSD ($17.9 million), 5.7 million USDT ($5.7 million), 638,000 ADA ($0.8 million), 26,500 DOT ($0.8 million), 34,000 wrapped BNB ($18 million), and 112,000 U92 tokens, a native token of Uranium, were drained.

Uranium, which was launched this month, said the exploitation took place during the migration of its protocol to the V2.1 version.

Uranium is an automated market maker (AMM) protocol, forked from Uniswap V2, and claims to give daily dividends to its users.

"In our pools and farms, you're rewarded with our U92 token, like every other DEX [decentralized exchange]. The difference is that we have created a second token, the U92 counterpart : U235. Holding this token on your wallet makes you an investor of our AMM, making you earn dividends in BNB and BUSD every block," reads Uranium's website.

It is not clear what exactly went wrong amid migration, but according to Igamberdiev, pair contracts in Uranium's V2 version had a bug.

Due to this bug, anyone could interact with the pair contracts and withdraw almost all tokens. (Pair contracts are smart contracts for special pairs in an AMM, say, for example, WETH-USDC).

Essentially, the bug allowed the exploiter to use a swap function in Uranium to drain the funds.

The exploiter has already started moving and withdrawing funds. About $6.4 million or 2,438 ETH have been withdrawn via Tornado Cash, an Ethereum mixer based on zero-knowledge proofs technology that lets users withdraw funds anonymously.

The exploiter first swapped DOT and ADA tokens to ETH via Binance Smart Chain-based decentralized exchange PancakeSwap. Then they swapped the BSC version of ETH to the Ethereum version of ETH via AnySwap, a cross-chain swap protocol.

All 80 bitcoin have also been withdrawn by the exploiter using AnySwap.

This could be an insider job or a rug pull, according to Igamberdiev, because Uranium's V2 version had a bug, and its team did not perform a white-hat attack before the migration to the V2.1 version.

The Uranium contracts repository has also been removed from GitHub for some unknown reasons.

The Block has reached out to Uranium for comments and will update this story should we hear back.