NewsBusiness

BurgerSwap Explains $7.2 Million Flash Loan Attack in Post-Mortem

Another Binance Smart Chain project falls victim to a flash loan attack involving a fake token and price manipulation.

2 min read

In brief

  • In yesterday’s attack, BurgerSwap lost $7.2 million worth of tokens, including stablecoins.
  • BurgerSwap is set to announce a “detailed compensation plan.”

In just 14 transactions, a flash loan attack drained $7.2 million from the wallets of BurgerSwap, a decentralized exchange based on the Binance Smart Chain.

Flash loans are instantaneous crypto loans. A borrower can do whatever they like with the funds, so long as they repay the loan within the same transaction.

BurgerSwap conducted a post-mortem investigation with blockchain security firm PeckShield to work out how flash loans manipulated the protocol.

They discovered that, at 9PM UTC yesterday, an attacker deployed a fake BEP-20 token—a generic token standard on the Binance Smart Chain—and used it to form a trading pair with BURGER, BurgerSwap’s native token.

Later, the attacker executed a code to manipulate the reserve supply of that trading pair, causing the price of $BURGER to move drastically. The attacker capitalized on that phony price difference through flash loans and continued to scheme their way through the exchange.

The attacker eventually made off with $1.6 million in Wrapped BNB, $6,800 in ETH), $3.2 million of BURGER coin, $1 million of xBURGER, a synthetic version of BURGER, 95,000 ROCKS ($152,000), $22,000 of Binance’s US dollar-pegged stablecoin, BUSD, and a further $1.4 million of USD stablecoin Tether.

“We understand what the community cares about the most. Detailed compensation plan is on the way”, BurgerSwap tweeted today. “All we [are] asking for is some time.”

BurgerSwap launched in September 2020 on the Binance Smart Chain (BSC), a popular decentralized finance (DeFi) alternative to the Ethereum network.

The BurgerSwap attack comes a week after PancakeBunny, another Binance Smart Chain-hosted DEX, fell victim to a similar attack and lost $45 million in customer funds.

Disclaimer

The views and opinions expressed by the author are for informational purposes only and do not constitute financial, investment, or other advice.

Copy article link

Want to be a crypto expert? Get the best of Decrypt straight to your inbox.

Get the biggest crypto news stories + weekly roundups and more!