Belt Finance, the platform that provides automated market making for decentralized finance (DeFi), has become the latest Binance Smart Chain-based decentralized finance protocol to lose millions to an opportunistic hacker.
It has been reported by Rekt Blog that an attacker exploited a flaw in the way the protocol’s vaults calculate the value of its collateral, which helped to “add another notch to the now infamous flash loan exploit season on the BSC.”
“Yet another fork of a fork has rolled off the conveyor belt with $6.3M falling straight into the hands of the hacker.”
However, Rekt revealed that a total of eight flash loans were made on PancakeSwap for $385 million Binance USD (BUSD). The beltBUSD vault’s “Elipsis” strategy was exploited, as it was the most undersubscribed strategy on the platform.
The report said that Belt Finance uses an optimal yield aggregator to offer passive yield generation to depositors. Elipsis is a decentralized exchange that enables the swapping of stablecoins with low slippage on the Binance Smart Chain. The beltUSD vault also deploys capital on the BSC-based protocols Venus, Alpaca, and Fortube for yield generation.
Belt Finance has become the latest Binance Smart Chain-native DeFi protocol to suffer a major exploit after a flash loan attack saw $6 million siphoned from the platform. https://t.co/lA1mNC9iBi — Cointelegraph (@Cointelegraph) May 31, 2021
Mudit Gupta, the Core Developer of SushiSwap, posted a Twitter thread examining the incident, describing the flash loan attack as one of the “more complex hacks.” Belt’s vaults operate with a target balance for each strategy employed, he explained. When a user deposits money into a vault, the capital is allocated to the most undersubscribed strategy. When someone withdraws money from the vault, it withdraws it from the most oversubscribed strategy.
Belt Finance got hacked today, losses worth ~$13mm. Withdrawals have been paused to prevent further losses. The exploit happened due to an incorrect valuation of 3eps shares. This was one of the more complex hacks in recent times🧵👇 pic.twitter.com/WCFDoDFyh0 — Mudit Gupta (@Mudit__Gupta) May 30, 2021
Likewise, Gupta asserted the attacker exploited this system to make several transactions across multiple strategies, inflating the value of its pools before repaying the flash loan and pocketing more than $6 million in profits.
“Basically, the issue happened because Belt incorrectly integrated with Elipsis. A similar issue happened last month as well in belt finance but at that time, the problem was a buggy integration with Venus. I wonder if belt has any bug-free integration.”
Belt Finance is the latest in a lengthening list of BSC DeFi protocols to get exploited.
Thus, on Friday, decentralized exchange BurgerSwap was attacked resulting in the draining of $7.2 million.