Another decentralized finance (DeFi) project has fallen victim to a flash loan attack, with the hackers stealing over $7.2 million worth of BNB, ETH, BURGER, and other tokens.
BurgerSwap, a Binance Smart Chain (BSC) DeFi platform, suffered a flash loan attack at around 3 am on May 28. The malicious actor succeeded in stealing roughly $7.2 million.
According to the incident report shared by the BurgerSwap team on Twitter, the attacker was able to create a “fake coin,” a loophole that can be exploited by anyone on BSC. The fake token was used to form a trading pair with the BURGER token. The devs explained:
By adjusting the routing, the attacker created $BURGER -> Fake Coin -> $WBNB routing; through $BURGER -> Fake Coin trading pair, attacker re-entered BurgerSwap through Fake Coin & manipulated a number of reserve0 and reserve1 in the pair’s contract, causing the price to change.
Similar to previous attacks, the attacker took a flash loan of 6,000 Binance Coin (BNB) from PancakeSwap, a BSC-based decentralized exchange. The loan was swapped for 92,000 BURGER tokens, after which 100 “fake tokens” and 45,000 BURGER were added to liquidity pool. This was exchanged for 4,400 BNB tokens.
In total, the attacker went home with 432,000 BURGER ($3.2 million), 4,400 BNB (worth around $1.6 million), 142,000 xBURGER ($1 million), 1.4 million USDT stablecoins, 22,000 BUSD, and 2.5 Ethereum ($6,800).