The Belt Finance protocol has become the latest Binance Smart Chain-based DeFi platform to lose millions to software exploitation.
According to a post on the Rekt blog, the attacker managed to drain the money through exploitation in the way that the protocol calculates the value of its collateral.
“An incorrect share valuation helps to add another notch to the now infamous flash loan exploit season on the BSC,” the post said. “Yet another fork of a fork has rolled off the conveyor belt with $6.3M falling straight into the hands of the hacker.”
May 30, SushiSwap core developer, Mudit Gupta described the incident in a Twitter thread. He explained that the attacker exploited several aspects of Belt’s operations to take out flash loans and then inflate the value of its pools; the attacker then repaid the loan, pocketing more than $6 million in the process.
“Basically, the issue happened because Belt incorrectly integrated with Ellipsis,” Gupta said. Ellipsis is a BSC-based stablecoin decentralized exchange.
Belt Finance got hacked today, losses worth ~$13mm. Withdrawals have been paused to prevent further losses. The exploit happened due to an incorrect valuation of 3eps shares. This was one of the more complex hacks in recent times🧵👇 pic.twitter.com/WCFDoDFyh0
— Mudit Gupta (@Mudit__Gupta) May 30, 2021
“A similar issue happened last month as well in belt finance, but at that time, the problem was a buggy integration with Venus. I wonder if belt has any bug-free integration (sic),” he continued. In addition, Venus is a lending protocol based on the Binance Smart Chain.
The Belt Finance exploitation marks the eighth time that a BSC-based protocol has been exploited by a hacker this year. Belt joins the ranks of Cream Finance, bEarn, Bogged Finance, Uranium Finance, Meerkat Finance, SafeMoon and Spartan Protocol.
Binance has reportedly sought analytical support from the cybersecurity firm, CipherTrace to prevent further exploitations from taking place on BSC.