Decentralized finance (DeFi) project on Binance Smart Chain (BSC), Uranium Finance, reported that it has suffered a security breach – with millions of dollars in Ethereum (ETH) on the move and laundered through a popular privacy tool.
“Uranium migration has been exploited, the following address has 50m in it,” tweeted the project today. “The only thing that matters is keeping the funds on BSC, everyone please start tweeting this address to Binance immediately asking them to stop transfers.”
The contract currently shows 0 Binance coin (BNB), as well as nearly 18m Binance USD (BUSD) and 34,186 wrapped BNB (WBNB) – USD 37m in total.
An address allegedly involved in the hack currently holds USD 92,604 in ETH and DAI 2,581. In the last three hours, the ‘Uranium Finance Hacker’ has been moving the funds out in batches of ETH 100, 22 times so far, through the privacy-focused wallet Tornado Cash. In total, this address shows that ETH 2,201 has been moved so far, currently worth nearly USD 5.76m.
What allegedly happened is hackers taking over the migration of Uranium’s liquidity provider (LP) tokens.
Some also argue that the issue was a bug exploited by the attacker.
MyCrypto.com noted that, per a Telegram group member, “funds migrated to contract > funds laundered off of BSC > funds moved to ETH and to BTC.”
Commenters are calling out the project, claiming that this is the second security incident they have faced, and that it’s giving a bad name to BSC.
Earlier in April, the team said that they’ve learned from their “missteps in V1, and have made the security and reliability of both our contracts and web infrastructure our highest priority.”
And there are also accusations of a potential exit scam.
That’s the excuse literally every single rug pull has used. They exit scammed, that’s what happened.
— Mr. Whale (@CryptoWhale) April 28, 2021
Finally, with Tornado Cash being used, some argue that there is nothing more to be done about the stolen funds.
That's pretty sad but it seems it's too late now.https://t.co/hUTOL6QofU
— Lex Moskovski (@mskvsk) April 28, 2021
This incident is still developing.