DeFi hacks on Binance Smart Chain continue as ‘Impossible Finance’ drained for $500k

By Ana Grabundzija

Impossible Finance, a decentralized finance (DeFi) protocol on the Binance Smart Chain has been exploited for $500,000 in a flash loan attack.

A flash loan attack is a common type of DeFi exploits in which hackers take an uncollateralized loan from a lending protocol and through a series of technical maneuvers manipulate the market in their favor.

Vulnerability

The attack on the Impossible Finance liquidity pool happened on June 21 and resulted in a loss of 229.84 Ethereum (ETH), valued $500.000 at the time of the exploit.

By using a fake token, hackers launched a flash loan attack to exhaust the protocol’s liquidity pool.

Auditing service WatchPug explained that the attack involved consecutive swaps at about the same price, draining the liquidity pool, “which is usually impossible.”

At 4 AM UTC, Jun 21, $0.5M was stolen from Impossible Finance.

The hacker made multiple swaps in a row at about the same price and drained the LP, which is usually impossible.

How does Impossible Finance make the impossible possible?

Read our analysis:https://t.co/3r0p1dOFWz

— WatchPug (@WatchPug_) June 21, 2021

A vulnerability in the pool’s smart contract enabled multiple swaps of the protocol’s native Impossible Finance token (IF) to Binance USD stablecoin (BUSD) and then to the native coin of Binance Chain, Binance Coin (BNB).

According to Mudit Gupta, a core developer of SushiSwap, the hack design wasn’t that innovative, and it exploiting a similar vulnerability as the recent attack on BurgerSwap protocol, also built on the Binance Smart Chain, in which $7.2 million was stolen.

Impossible finance got exploited today for $500k.https://t.co/mzCPRluOjn

Same exploit as the burger swap one:https://t.co/3PkVtn7Hi7

If the original project gets hacked, why don’t the forks react?

— Mudit Gupta (@Mudit__Gupta) June 21, 2021

Postmortem

Impossible Finance published a report on the incident through the official announcement channel and said it had prepared an insurance fund.

The project announced all user funds deposited into liquidity pools prior to the attack will be 100% compensated, meanwhile, all liquidity pool rewards are paused and users are advised not to add or withdraw funds for IF/BUSD and IF/BNB pairs.

Impossible Finance joins other flash loan exploits on the Binance Smart Chain, like Pancake Bunny and Belt Finance, after the network issued an official “call for action” to developers.

Copycat? Serial? The space is yet to profile all the DeFi predators out there.

The post DeFi hacks on Binance Smart Chain continue as ‘Impossible Finance’ drained for $500k appeared first on CryptoSlate.