Missing line of code leads to $7.2 million exploit of DEX BurgerSwap

Quick Take

  • Decentralized exchange BurgerSwap has been exploited for $7.2 million.
  • According to Uniswap founder Hayden Adams, it could have easily been avoided.

Yet another DeFi platform has been exploited for millions of dollars. This time, it’s BurgerSwap, a decentralized exchange (DEX) based on Binance Smart Chain. 

According to The Block Research’s Igor Igamberdiev, an attacker used flash loans to exploit the protocol for $7.2 million. Flash loans are blockchain-based loans where large amounts of tokens are borrowed, used for some purpose and repaid — all in the same transaction.

But the attack was only possible because the exchange was missing a key line of code, one that it should have had, according to Hayden Adams, founder of the decentralized exchange Uniswap. Adams tweeted today that BurgerSwap was based on Uniswap’s V2 code but a specific line of code had been removed, "so core could very trivially be drained."

As a result, the perpetrator was able to use the protocol to make two transactions when they should only have been able to make one. So, in one example, when they borrowed 6,000 wrapped BNB (WBNB), they were able to use the tokens to turn them into 8,800 WBNB (something the protocol should have prevented). After repaying the loan, they were left with a stash of remaining tokens.

This same attack was used multiple times in 14 transactions to steal a range of tokens, including WBNB, ether (ETH), two stablecoins and a large stash of Burger Swap tokens (BURGER).

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

“The current total loss is around $7 million and we will strive to cover all your loss,” BurgerSwap tweeted today,