Halborn Logo

// Blog

Explained: The Belt Finance Hack (May 2021)


profile

Rob Behnke

June 3rd, 2021


Belt Finance is a DeFi project based on the Binance Smart Chain (BSC).  In May 2021, Belt fell victim to a flash loan attack that netted the attacker about $6.3 million in cryptocurrency.

Inside the Attack

The Belt Finance hack is another example of a flash loan attack, which has become increasingly common in the DeFi space (see: BurgerSwap hack).  The attacker borrows cryptocurrency using a flash loan, manipulates the value of a token within a liquidity pool, extracts more value than they put into the pool, and pays off the loan while keeping a tidy profit.

In the case of the Belt Finance hack, the attacker exploited the Ellipsis strategy within Belt and took advantage of a bug in the integration with the Venus strategy.  Belt implements a multi-strategy vault for BUSD, which has a target balance for each strategy within the vault.  Deposits into the vault are placed in the most undersubscribed strategy, while withdrawals come from the most oversubscribed strategy.

At the time of the attack, the Venus strategy was most undersubscribed, so a massive deposit by the attacker went into it, causing it to become the most oversubscribed pool.  The attacker then unbalanced the 3eps pool by swapping BUSD to USDT using Ellipsis.

This imbalance was significant because Belt Finance calculates the value of its shares based upon the value of the 3eps pool and the assumption that all of its strategies are balanced.  This calculation overestimated the value of its vault shares.  When the attacker withdrew BUSD from the Venus strategy, they received more tokens than they should have, providing a profit.

Each iteration of the attack provided a profit of about $1 million.  By repeating it seven times, the attacker made about $6.3 million in fees.

Lessons Learned from the Attack

The Belt Finance hack is another example of a flash loan attack, which the Belt team claimed was impossible with their protocol.  In this particular case, the attack was made possible by a faulty assumption that all strategies within Belt’s multi-strategy vault would be balanced, meaning that a calculation of the value of the Ellipsis strategy would be enough to estimate the value of all strategies in the vault and that of each vault share.

Faulty assumptions about the valuation of a token within a liquidity pool have plagued DeFi protocols and caused millions of dollars in losses in recent months. 

While these issues are identifiable and fixable, many projects are launched without the security audits needed to ensure that they are secure and properly protecting user funds.

© Halborn 2024. All rights reserved.