SlowMist: Analysis of Uranium Finance’s Hacked Event

SlowMist
2 min readApr 28, 2021

--

According to news from the SlowMist Zone, the DeFi project Uranium on the Binance Smart Chain was “hacked” with a loss of 50 million U.S. dollars. The SlowMist security team immediately intervened in the analysis and shared it for your reference in the form of a newsletter:

Attack analysis

This problem occurred on the pair contract of the Uranium project. The swap function part of the contract logic refers to the logic of PancakeSwap, allowing users to lend out funds through flash loans. However, when this function checks the contract balance according to the constant product formula, there is a problem of accuracy processing errors, resulting in the balance calculated in the final contract being 100 times larger than the actual balance of the contract. In this case, if the attacker uses a flash loan to borrow , Only need to return 1% of the loan amount to pass the inspection and steal the remaining 99% of the balance, resulting in project losses.

Summary

At present, Uranium official has issued a document confirming the theft, and recommends that users contact the official to calculate the loss. The SlowMist security team recommends that users pay attention to risks when participating in DeFi projects, participate cautiously, and choose reliable project parties that have undergone security audits to participate in DeFi to avoid financial losses .

Reference link:

https://bscscan.com/tx/0x5a504fe72ef7fc76dfeb4d979e533af4e23fe37e90b5516186d5787893c37991

About us

SlowMist Technology is a company focused on blockchain ecosystem security. It has served many top or well-known projects around the world through “the security solution that integrated the threat discovery and threat defense while tailored to local conditions” and has nearly a thousand commercial customers. SlowMist’s security solutions include security audit, threat intelligence (BTI), bug bounty, defense deployment, security consultant, and other services. SlowMist is equipped with cryptocurrency anti-money laundering (AML), false top-up scanner, vulnerability scanner, and vulnerability monitoring (Vulpush), hacked project archives (SlowMist Hacked), smart contract firewall (FireWall.X), Safe Staking and other SAAS security products. It has been widely concerned and recognized by the industry.

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.