Belt Finance loses millions in latest BSC-based DeFi exploit

Published at: May 31, 2021

Belt Finance has become the latest Binance Smart Chain-based decentralized finance protocol to lose millions to an opportunistic hacker.

The Rekt Blog, which writes postmortems of DeFi exploits, stated that an attacker exploited a flaw in the way the protocol’s vaults calculate the value of its collateral, which helped to “add another notch to the now infamous flash loan exploit season on the BSC,” adding:

“Yet another fork of a fork has rolled off the conveyor belt with $6.3M falling straight into the hands of the hacker.”

Rekt revealed that a total of eight flash loans were made on PancakeSwap for $385 million Binance USD (BUSD). The beltBUSD vault's “Elipsis” strategy was exploited, as it was the most undersubscribed strategy on the platform.

Belt Finance uses an optimal yield aggregator to offer passive yield generation to depositors. Elipsis is a decentralized exchange that enables the swapping of stablecoins with low slippage on the Binance Smart Chain. The beltUSD vault also deploys capital on the BSC-based protocols Venus, Alpaca and Fortube for yield generation.

On Sunday, SushiSwap core developer Mudit Gupta posted a Twitter thread examining the incident, describing the flash loan attack as one of the “more complex hacks.”

Belt’s vaults operate with a target balance for each strategy employed, he explained. When a user deposits money into a vault, the capital is allocated to the most undersubscribed strategy. When someone withdraws money from the vault, it withdraws it from the most oversubscribed strategy.

Gupta asserted the attacker exploited this system to make several transactions across multiple strategies, inflating the value of its pools before repaying the flash loan and pocketing more than $6 million in profits. Gupta concluded:

“Basically, the issue happened because Belt incorrectly integrated with Elipsis. A similar issue happened last month as well in belt finance but at that time, the problem was a buggy integration with Venus. I wonder if belt has any bug-free integration.”

Venus is another BSC protocol for lending and borrowing via the minting of synthetic stablecoins.

Belt Finance is the latest in a lengthening list of BSC DeFi protocols to get exploited. On Friday, decentralized exchange BurgerSwap was attacked resulting in the draining of $7.2 million.

So far this year, Cream Finance, bEarn, Bogged Finance, Uranium Finance, Meerkat Finance, SafeMoon and Spartan Protocol have all suffered exploits on Binance Smart Chain. Binance has now turned to blockchain intelligence company CipherTrace for analytics support in a bid to mitigate further incursions.

Tags
Related Posts
Finance Redefined: One hack to bring down a whole market, Feb 10–17
Finance Redefined is Cointelegraph's DeFi-centric newsletter, delivered to subscribers every Wednesday. The Alpha Homora and Cream Finance hack has made a gigantic mark in the DeFi space this week. It is the largest single hack in DeFi history at $37 million in funds stolen. It is also one of the most complex, apparently leveraging several honest-to-God vulnerabilities in Alpha Homora. A few missing input checks in very specialized conditions allowed the hacker to abuse Alpha Homora’s privilege of borrowing an unlimited amount of funds from Cream Finance’s Iron Bank. Flash loans were of course involved, but unlike some previous hacks …
Technology / Feb. 18, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11–18
If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. In the span of one week, a total of four flash loan-enabled exploits were registered (one actually happened the week before, but wasn’t noticed until later). We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol’s loss of $7 million. In total, the hackers stole $18.3 million, which admittedly, is not that much — less than the single October exploit of Harvest Finance. As …
Technology / Nov. 19, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023