.png)
3 hours ago
1
ARTICLE AD BOX
After four years of investigations, U.S. authorities have seized $31 million in cryptocurrency related to the 2021 Uranium Finance hack.
On Monday, the Southern District of New York announced the seizure as a coordinated effort with the Homeland Security Investigations of San Diego.
Uranium Finance was released on April 1, 2021, and was a fork of Uniswap, an automated market maker, released on the BNB chain.
On April 28, 2021, Uranium Finance suffered a Web 3.0 security breach. The result was $50 million in lost tokens spanning over 26 different market pairs, amounting to one of the most devastating Defi attacks of the time.
The attackers laundered the money through crypto mixers and central exchanges, transferring small amounts simultaneously to avoid detection. Zack XBT, a blockchain researcher, claims that the attackers, in an effort to launder more money, used the blockchain game Magic: The Gathering, using trading cards to mix the stolen funds.
Victims of the attack were left stranded, not knowing what was happening behind the scenes, heightened by the fact that Uranium Finance’s website shut down on April 28, 2021, and their X account hasn’t made a post since April 30, 2021.
The breach allowed attackers to inflate the project’s balance, manipulate token pairs, and drain funds from liquidity pools.
A brief inspection of the original Uniswap code reveals that a value of 1,000 is applied to a pair swap, allowing the new X and Y values of the output to apply a new fee. At the same time, a value K, used as a checking value, is also scaled along with the other values.
Uniswap is a very popular swapping protocol, having experienced many transactions and, therefore, having many more security patches. The problem, however, is when a fork happens without the development team moving over to the new project.
The Uranium Finance fork of the code, however, uses a magic value of 10,000 instead of 1,000. More critically, it continues to use 1,000 for the K value, introducing a discrepancy that can be exploited to inflate the prices. The disparity between 10,000 and 1,000 means that a swap is guaranteed to be 100 times larger than the K value before the swap.
This means that a hacker can swap a minimal amount of tokens for a much larger amount if the contract is changed appropriately. In the case of Uranium Finance, the attacker could drain the liquidity pools of the pair tokens.
The next step in hacking Uranium Finance was to withdraw and obfuscate the stolen tokens. This was done by mixing the tokens using Tornado Cash and depositing the new tokens into a centralized exchange.
The attackers seemed to have been meticulous with their hack, raising the question of how the authorities tracked the stolen tokens. The authorities have not revealed all the details about the seizure of funds, and more information may be released later.
The attack spanned multiple tokens. Of the $50 million extracted, Binance’s Blockchain Token (BNB) and Binance’s Stablecoin (BUSD) lost $18 million. Ethereum (ETH) and Binance’s Wrapped Bitcoin (BTCB) lost around $9 million. USDT lost around $6.7 million. DOT, ADA, and Uranium Finance Token lost $1.7 million.
Open information from BscScan shows the attackers swapping ADA and DOT for Ethereum, preparing to launder the tokens, and accumulating around 2,400 ETH.
These tokens, amounting to around $5.7 million, were mixed with Tornado Cash, an Ethereum anonymity and privacy tool.
The Uranium Finance hack shows how easy it is to exploit a Web 3.0 platform by noticing a single code mistake. Discrepancies between forked and original projects are especially risky because a forked project does not always transfer the human capital, experience, funding, and teamwork from the original project. In the case of Uranium Finance, a smart contract was vulnerable due to a K invariant exploit.
English (US)