Missing line of code leads to $7.2 million exploit of DEX BurgerSwap

Quick Take

  • Decentralized exchange BurgerSwap has been exploited for $7.2 million.
  • According to Uniswap founder Hayden Adams, it could have easily been avoided.

Yet another DeFi platform has been exploited for millions of dollars. This time, it’s BurgerSwap, a decentralized exchange (DEX) based on Binance Smart Chain. 

According to The Block Research’s Igor Igamberdiev, an attacker used flash loans to exploit the protocol for $7.2 million. Flash loans are blockchain-based loans where large amounts of tokens are borrowed, used for some purpose and repaid — all in the same transaction.

But the attack was only possible because the exchange was missing a key line of code, one that it should have had, according to Hayden Adams, founder of the decentralized exchange Uniswap. Adams tweeted today that BurgerSwap was based on Uniswap’s V2 code but a specific line of code had been removed, "so core could very trivially be drained."

As a result, the perpetrator was able to use the protocol to make two transactions when they should only have been able to make one. So, in one example, when they borrowed 6,000 wrapped BNB (WBNB), they were able to use the tokens to turn them into 8,800 WBNB (something the protocol should have prevented). After repaying the loan, they were left with a stash of remaining tokens.

This same attack was used multiple times in 14 transactions to steal a range of tokens, including WBNB, ether (ETH), two stablecoins and a large stash of Burger Swap tokens (BURGER).


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

“The current total loss is around $7 million and we will strive to cover all your loss,” BurgerSwap tweeted today, adding, “We understand what the community cares about the most. Detailed compensation plan is on the way.”

According to Igamberdiev, the hacker has started using the Nerve protocol to sell the tokens and transfer them across to the Ethereum blockchain.

This exploit comes just over a week after Binance Smart Chain-based DeFi protocol Bunny Finance was exploited and saw $45 million drained from its ecosystem. In March, yield farming pool Meerkat Finance, also on Binance Smart Chain, was lost $31 million — in what may have been a rug pull.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Tim is the Editor-In-Chief of The Block. Prior to joining The Block, Tim was a news editor at Decrypt. He has earned a bachelor's degree in philosophy from the University of York and studied news journalism at Press Association Training. Follow him on X @Timccopeland.