In brief

  • An as-yet-unidentified hacker used flash loans to drain $6.2 million out of Belt Finance’s beltBUSD pool.
  • With fees included, the total cost of the attack was more than $50 million worth of BUSD.

Belt Finance is the latest Binance Smart Chain-based decentralized finance (DeFi) project to lose millions of dollars after an unknown hacker performed a so-called flash loan attack on the protocol.

Belt Finance is a decentralized exchange akin to Uniswap but has been optimized for stablecoin transfers rather than more volatiles crypto assets.

The attack, performed on Saturday evening, saw the 4Belt pool lose 6,234,753 BUSD, a stablecoin pegged to the U.S. dollar built on the Binance Chain. According to the project’s incident report, it was executed “with pinpoint accuracy” using a method that the team failed to safeguard against.

With the help of a smart contract that used PancakeSwap for flash loans, the attacker managed to exploit the beltBUSD pool and its underlying strategy protocols. The hacker executed the contract eight times before the developers became aware of the incident and halted withdrawals and deposits and patched the vulnerability.

While the attack lasted a mere ten minutes, it was enough for beltBUSD vault users to suffer a 21.36% loss of funds, while 4Belt pool users lost 5.51%, the team said. The combined cost of the attack was 50,030,452 BUSD, with 43,795,699 BUSD used as transaction fees.

According to Belt Finance, withdrawals and deposits of funds will resume within the next 24–48 hours. The team is also working on a compensation plan that will be detailed within the next 48 hours.

What is a flash loan attack?

A flash loan attack is a type of DeFi attack where a hacker takes out a flash loan from a lending protocol and utilizes a number of tricks to manipulate the market in their favor.

Flash loans are uncollateralized loans that the borrower makes and pays back within a single transaction. They are useful in these kinds of attacks because it allows for easy access to capital -- in just seconds the attacker can borrow capital, exploit a vulnerability for millions of dollars, and repay the initial loan all within a single transaction. If, however, the loan isn't paid back, the entire transaction is reversed.

Cheap to pull off and easy to get away with, they often involve the use of several DeFi protocols to conceal the traces and can be executed in seconds.

Since 2020, flash loan attacks have resulted in several hundred million dollars in losses for various DeFi protocols and appear to be gaining more popularity among cybercriminals, with more Binance Chain-based projects targeted in recent weeks.

Earlier this month, PancakeBunny, a decentralized exchange (DEX) built on the BSC, fell victim to a flash loan attack and lost $45 million in user funds. Just days later, BurgerSwap DEX was targeted with a similar attack, with a total of $7.2 million drained from its wallet.

On other occasions this year, BSC projects including Uranium Finance, bEarn, Spartan Protocol, Autoshark, and Merlin Labs, have all fallen victim to a variety of different exploits.

There could be some light at the end of the tunnel for BSC-based protocols, though; last week, crypto intelligence firm CipherTrace added support for the blockchain, providing tools to detect suspicious on-chain activity.