Belt Finance is now the latest Binance Smart Chain-based decentralized finance (DeFi) protocol to lose millions of dollars to an opportunistic hacker. The Rekt Blog that post-morterms DeFi exploits said that an attacker exploited a flaw in the manner the protocol’s vaults calculates the total value of its collateral that helped to “add another notch to the now infamous flash loan exploit season on the BSC,” adding:
“Yet another fork of a fork has rolled off the conveyor belt with $6.3M falling straight into the hands of the hacker.”
Rekt said that a total of eight flash loans were made on PancakeSwap for $385 million BUSD. Interestingly, the beltBUSD vault’s “Elipsis” strategy was mainly exploited because it was the most under-subscribed strategy on the platform.
Belt Finance uses an optimal yield aggregator to provide passive yield generation to depositors. Elipsis is a decentralized exchange that enables the swapping of stablecoins with low slippage on the Binance Smart Chain. Notably, the beltUSD vault also deploys some of its capital on the BSC-based protocols Alpaca, Venus, and Fortube for yield generation.
SushiSwap core developer Mudit Gupta posted a May 30 Twitter thread that examined the incident. He described the flash loan attack as one of the “more complex hacks.” According to him, the Belt vaults operate with a target balance for every strategy used.
Whenever a user deposits money into a vault, the capital is allocated to boost the most under-subscribed strategy. On the other hand, whenever somebody withdraws money from the vault, it withdraws it from any of the most oversubscribed strategies.
Gupta mentioned that the attacker exploited the system to make multiple transactions across several strategies, inflating the value of its pools before repaying the flash loan and then making away with over $6 million in profits. Gupta concluded:
“Basically, the issue happened because Belt incorrectly integrated with Elipsis. A similar issue happened last month as well in belt finance but at that time, the problem was a buggy integration with Venus. I wonder if the belt has any bug-free integration.”
Venus is another Binance Smart Chain protocol for lending and borrowing through the minting of synthetic stablecoins. Belt Finance is now the latest in a growing list of BSC DeFi protocols to get exploited. On May 28, 2021, the BurgerSwap DEX was attacked. That incident resulted in the draining of $7.2 million.
So far in 2021, bEarn, Uranium Finance, Cream Finance, Bogged Finance, SafeMoon, Meerkat Finance, and Spartan Protocol have all suffered exploits on Binance Smart Chain. Binance has now turned to blockchain intelligence firm CipherTrace for analytics support aiming to eliminate further incursions.