BurgerSwap Flash Loan Exploit Leaves $7.2 Million in Losses of Stolen Ether, BNB, and More

BurgerSwap Flash Loan Exploit Leaves $7.2 Million in Losses of Stolen Ether, BNB, and More

Another Binance Smart Chain project was exploited by a flash loan attack, with DeFi platform BurgerSwap being the victim this time. According to a twitter post written by the Burgerswap Team, there were approximately $7.2 million in funds lost from the exploit.

The current total loss is around $7 million and we will strive to cover all your loss.— BurgerSwap (@burger_swap) May 28, 2021

What Exactly Are Flash Loans?

Flash loans, which are blockchain-based loans where tokens can be borrowed, have certain unique properties that are different from more traditional loans. Firstly, they use smart contracts, where the borrower must pay back the loan before the transaction ends, or the smart contract cancels or reverts the transaction.

Moreover, there is no collateral required for flash loans. Rather, the borrower must pay back when the flash loan is settled — which is often instantaneous. Thus, the borrower needs to rely on several other smart contracts to perform trades with the loaned funds before the transaction is settled.

BurgerSwap’s Key Mistake

While exploits using flash loans have become a recurring theme, the attack was only possible because the platform was missing a crucial line of code. According to founder of UniSwap Hayden Adams, BurgerSwap was based on Uniswap V2’s code, but a specific line had been removed, rendering the platform to be “drained.”

This thread sounds complicated. Here's what happened very simply.Uniswap v2 fork removed the only line that enforces x*y=k from core:So core could very trivially be drained.This is the line that was removed:https://t.co/iN3nc1xMTmiWoNDerWhYTHeyDiDtHAt https://t.co/B9TN3KP25U— Hayden Adams 🦄 (@haydenzadams) May 28, 2021

Due to the single missing line of code, the exploiters could make two separate transactions when in reality they should have been able to make one. This tricked Burgerswap’s protocol into closing a single transaction, leaving the borrower to keep the pool of leftover funds.

The same exploit was used on 14 different transactions, stealing a range of tokens including Wrapped Binance Coin (WBNB), Ethereum (ETH), and Burger Swap (BURGER).

“The current total loss is around $7 million and we will strive to cover all your loss,” BurgerSwap tweeted earlier today. “We understand what the community cares about the most. Detailed compensation plan is on the way.”

Source