On May 30th, Beijing time, PeckShield’s “Paid shield” warning showed that Belt Finance, an AMM protocol combined with multi-strategy revenue optimization on the BSC chain, was attacked by lightning loans.
Through tracking and analysis, PeckShield found that the attack originated from the attacker repeatedly buying and selling BUSD, using loopholes in the calculation of the balance of the bEllipsisBUSD strategy to manipulate the price of beltBUSD for profit.
What’s interesting is that Ellipsis is a project of Fork authorized by Curve on the DeFi protocol on Ethereum. Judging from past attacks related to Curve, has Pandora’s box been opened again?
The following is the attack process:
In the first step, the attacker borrowed 8 flash loans from PancakeSwap:
FLIP WBNB-BUSD: 107,736,995.2 BUSD
FLIP USDC-BUSD: 38,227,899.2 BUSD
FLIP BUSDT-BUSD: 153,621,552.7 BUSD
FLIP DAI-BUSD: 31,372,406.8 BUSD
FLIP UST-BUSD: 17,505,135.1 BUSD
FLIP VAI-BUSD: 17,294,888.2 BUSD
FLIP ALPACA-BUSD: 10,828,766.5 BUSD
FLIP CAKE-BUSD: 10,728,353.2 BUSD
Deposit 10 million BUSD into the bEllipsisBUSD strategy;
The second step is to deposit 187 million BUSD into the bVenusBUSD strategy, and then exchange 190 million BUSD into 169 million USDT through the Ellipsis contract;
Repeat the operation of withdrawal-exchange-charge 7 times: the attacker extracts more BUSD from the strategy bVenusBUSD, exchanges 190 million BUSD into 169 million USDT through the Ellipsis contract, and deposits the BUSD into the bVenusBUSD strategy;
Since the price of beltBUSD depends on the sum of all machine gun pool balances, the attacker deposits BUSD into the bVenusBUSD strategy and then proposes BUSD. In theory, since the number of assets remains the same, even if the attacker repeats the operation multiple times, it will not make a profit. However, if other strategies are manipulated, the price of beltBUSD will be affected.
In this attack, the attacker manipulated the price by buying and selling BUSD multiple times, and then exploiting the loopholes in the calculation of the balance of the bEllipsis strategy.
Subsequently, the attacker converted the acquired assets into ETH in batches through the Nerve (Anyswap) cross-chain bridge. CoinHolmes, an anti-money laundering situational awareness system under PeckShield, will continue to monitor asset movements.
This is already the fourth security incident on the BSC chain since this week. This week, we warned and analyzed the security incidents of Fork PancakeBunny and Uniswap. Attacks on the BSC chain showed an acceleration and growth trend. Are Ethereum DeFi attackers attacking again or are new imitation criminals emerging?
When the attack accelerates, the security foundation of the entire DeFi field is worth reexamining, and attackers are definitely not only focusing on a new star. PeckShield reminds Fork Curve that the DeFi protocol must self-check the code, eliminate similar loopholes, or seek the help of a professional code audit team. It is not too late to lose.
Author/ Translator: Jamie Kim
Bio: Jamie Kim is a technology journalist. Raised in Hong Kong and always vocal at heart. She aims to share her expertise with the readers at blockreview.net. Kim is a Bitcoin maximalist who believes with unwavering conviction that Bitcoin is the only cryptocurrency – in fact, currency – worth caring about.