Flash loans are instantaneous crypto loans. A borrower can do whatever they like with the funds, so long as they repay the loan within the same transaction.
BurgerSwap conducted a post-mortem investigation with blockchain security firm PeckShield to work out how flash loans manipulated the protocol.
They discovered that, at 9PM UTC yesterday, an attacker deployed a fake BEP-20 token—a generic token standard on the Binance Smart Chain—and used it to form a trading pair with BURGER, BurgerSwap’s native token.
Later, the attacker executed a code to manipulate the reserve supply of that trading pair, causing the price of $BURGER to move drastically. The attacker capitalized on that phony price difference through flash loans and continued to scheme their way through the exchange.
The attacker eventually made off with $1.6 million in Wrapped BNB, $6,800 in ETH), $3.2 million of BURGER coin, $1 million of xBURGER, a synthetic version of BURGER, 95,000 ROCKS ($152,000), $22,000 of Binance’s US dollar-pegged stablecoin, BUSD, and a further $1.4 million of USD stablecoin Tether.
“We understand what the community cares about the most. Detailed compensation plan is on the way”, BurgerSwap tweeted today. “All we [are] asking for is some time.”
(6) In total attacker received 8,800 $WBNB in the two latest steps; (7) Swapped 493 $WBNB to around $108,700 BURGER on BurgerSwap; (8) Attacker repay the flash swap; pic.twitter.com/p6oxQpGtQm