DEFI

There have been at least 7 flash loan attacks in the BSC ecosystem in May, with estimated total losses exceeding $100 million.

share
There have been at least 7 flash loan attacks in the BSC ecosystem in May, with estimated total losses exceeding $100 million.

Binance Smart Chain (BSC) experienced explosive growth in the first half of this year, attracting a significant number of users and assets due to its user-friendly interface and low costs. The BSC ecosystem has become the first step for many newcomers to enter the DeFi field. However, a recent series of flash loan attacks may have a significant impact and psychological shadow on these novice investors.

Seven Flash Loan Attacks Occurred in May

"Flash loan" is a special liquidity solution where the core principle is that both "borrowing" and "repayment" must be completed within a single transaction, allowing for uncollateralized borrowing. Its original intention was to serve as a tool for investors to conduct risk-free arbitrage, but it has often been used as a tool for hackers to launch attacks. In May of this year, the DeFi ecosystem on BSC experienced at least 7 flash loan attack incidents, with total estimated losses exceeding $100 million. The projects that were attacked include:

Spartan Protocol

On May 2, the synthetic asset protocol Spartan Pools V1 fell victim to a flash loan attack due to a contract vulnerability, resulting in approximately $30 million in losses.

bEarn Fi

On May 16, the cross-chain DeFi protocol bEarn Fi was attacked via a Vault code vulnerability, leading to losses of around $10.86 million.

Pancake Bunny

On May 20, the DeFi yield aggregator PancakeBunny suffered an attack where hackers exploited a price manipulation opportunity using PancakeSwap's trading prices as the main reference data and a vulnerability in the PancakeBunny minting contract. The attack resulted in losses of about $42 million.

Bogged Finance

On May 23, the BSC-based aggregator trading protocol Bogged Finance was attacked through a vulnerability in the BOG token contract's staking function (allowing for staking rewards to be withdrawn before contract verification). The estimated loss was approximately $3 million.

AutoShark Finance

On May 25, the BSC-based fixed-rate protocol AutoShark Finance experienced an attack due to a flaw in the minting contract that resulted in incorrect calculations of contributor values, allowing attackers to mint a large amount of SHARK tokens. Estimated losses were around $820,000.

Julswap

On May 27, the BSC-based automated market maker protocol Julswap also suffered a 95% coin price drop under a flash loan attack. The official details of the losses and incident have not been disclosed.

BurgerSwap

On May 28, the automated market maker protocol BurgerSwap was attacked due to a code vulnerability that allowed attackers to execute a second trade before the protocol updated the pool reserves. Hackers exploited this and conducted the attack through a flash loan, resulting in estimated losses of around $7.2 million.

A Series of Events Sparked Various Speculations

Some believe that the recent surge in flash loan attacks within the BSC ecosystem is due to certain issues within the BSC network itself. However, in reality, Ethereum has also experienced frequent flash loan attacks in the past. Furthermore, from the statistics mentioned above, it is evident that most of the attacks are related to vulnerabilities within the protocols themselves, rather than issues with the underlying BSC chain. Nevertheless, this series of attacks has sparked conspiracy theories in the market, with some believing that these events are all tactics used by insiders to exploit investors. For example, in the recent BurgerSwap attack incident, Uniswap founder Hayden Adams questioned the development team's decision to delete crucial code.

However, these are all speculations from external sources, and the true facts may only be known by the development teams themselves.