Let's Talk

Explained: The Uranium Finance Hack (April 2021)

Rob Behnke

On April 28, 2021, the Uranium Finance project on the Binance Smart Chain (BSC) was the victim of a smart contract hack.  The attacker drained approximately $50 million worth of tokens from Uranium’s “pair contracts”.

Inside the Hack

The Uranium Finance hack was made possible by a calculation error in the swap function of version 2 of the project’s contracts.

In the image above, shared on Igor Igamberdiev’s Twitter feed, the issue is marked in red and green.  The “sanity check” code for the balance adjustment uses a value of 1000**2 = 1,000,000; however, the actual balance adjustments were for 10,000, a value 100 times lower.  

This discrepancy allowed the attacker to send a small amount of value to the contract and extract a much larger one with the swap function, draining the contract’s reserves of value.

Lessons Learned From the Hack

The vulnerability exploited in Uranium’s smart contracts was known to the team prior to the hack.  The project had commissioned a security audit that had detected a low-severity vulnerability in the code.  Upon further investigation, the project’s developers determined that it was actually severe and fixed the vulnerability.  However, at this point, the code in v2.0 was already live and exploited by an attacker 2 hours before the transition was performed.

This hack underscores the importance of not only performing a security audit but also working through the report before launching the code.  The team obviously had the ability to identify the vulnerability since they fixed it in the update pre-hack (and believe that the hack resulted from an internal leak).  However, launching the code before completing their investigations resulted in a $50 million hack.


Get in touch with us at Halborn by emailing [email protected] to hear more about our comprehensive blockchain security audits.

LET’S CONNECT

We’re looking for passionate, blockchain-loving, offensive security engineers and white hat hackers to join the team.

For secure communications, use [email protected]

Contact Us

crossmenuchevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram