1. Home
  2. Uranium Finance

Uranium Finance

Wallet tied to Uranium Finance hacker reawakens after 647 days, shifting $3.3M

The hacker has other associated wallets that have also shifted funds to privacy networks such as Aztec.

One of the wallets associated with the $50 million exploit of Uranium Finance in April 2021 appears to have awoken after 647 days of dormancy, with funds headed towards crypto mixer Tornado Cash.

The sudden move was highlighted on Mar. 7 by cyber security firms PeckShield and CertiK on their respective alert accounts on Twitter.

According to data from Etherscan, the hacker moved the 2,250 Ether (ETH) or $3.35 million over a seven-hour period in transactions ranging from 1 ETH to 100 ETH — with all the funds heading to Tornado Cash.

This is, however, just one of the wallets associated with the hacker. Another Ethereum wallet linked to the hacker shows it was last active 159 days ago, with 5 ETH being sent to privacy-focused Ethereum zk-rollup on Aztec.

This marks yet another occasion in 2023 in which a hacker’s wallet has come out of dormancy after a lengthy hiatus. In January, the Wormhole hacker moved around $155 million worth of ETH almost a year after exploiting the Wormhole bridge for $321 million in early 2022.

The same month, a notorious hacker dubbed the “blockchain bandit” also moved around $90 million after a six-year slumber. 

In February, the Wormhole hacker moved another $46 million worth of stolen funds, while popular blockchain sleuth ZacXBT highlighted via Twitter on Feb. 23 that “dormant funds left over” from the April 2018 $230 million Gate.io exchange hack by “North Korea began to move after over 4.5 years.”

Binance Smart Chain-based automated market maker Uranium Finance was exploited on Apr. 28, 2021. The hack itself was reportedly the result of a coding vulnerability that allowed the hacker to siphon $50 million during Uranium’s v2.1 protocol launch and token migration event.

The platform seemingly shut down shortly after the hack, with its last Twitter post published on Apr. 30, 2021 and urges users to remove funds from its various liquidity pools.

Unanswered questions

It is also worth noting that on Apr. 28, 2021, someone claiming to be a member of the project’s development team suggested in the Uranium discord channel the hack may have been an inside job.

They outlined that only a small number of team members knew of the security flaw prior to the v2.1 protocol launch, and questioned the suspicious timing of the hack being just two hours before launch.

Since then, reports have gone cold on the project and its victims. However, Binance forum posts from October 2022 suggest that users have been left out in the cold.

Related: 7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama

On Oct. 26, User “RecoveryMad” made a post asking for a follow-up on the hack, and noted that the person representing the Uranium team in the community Telegram had “vanished.”

In response, user “nofiatnolie” claimed that “No investigation was performed. It was swept up under the rug. There are still victim groups with no answers and crowd-sourced investigations [are] pointing at the developers of Uranium and others as the suspects.”

Bitwise files for ETF tracking firms with big Bitcoin treasuries

$50M reportedly stolen from BSC-based Uranium Finance

Uranium Finance joins the growing list of hacked projects on the Binance Smart Chain network.

Uranium Finance, an automated market maker platform on the Binance Smart Chain, has reported a security incident that resulted in a loss of about $50 million.

Tweeting on Wednesday, Uranium revealed that the exploit targeted its v2.1 token migration event and that the team was in contact with the Binance security team to mitigate the situation.

The hacker reportedly took advantage of bugs in Uranium’s balance modifier logic that inflated the project’s balance by a factor of 100.

This error reportedly allowed the attacker to steal $50 million from the project. As of the time of writing, the contract created by the hacker still holds $36.8 million in Binance Coin (BNB) and Binance USD (BUSD).

The remaining stolen funds include 80 Bitcoin (BTC), 1,800 Ether (ETH), 26,500 Polkadot (DOT), 5.7 million Tether (USDT), as well as 638,000 Cardano (ADA) and 112,000 u92, the project's native coin.

Details from BscScan show the attacker swapping the ADA and DOT tokens for ETH, upping the Ether stash to about 2,400 ETH.

Meanwhile, the alleged mastermind of the theft has already moved 2,400 ETH, worth about $5.7 million, using the Ethereum privacy tool Tornado Cash.

Data from Ethereum chain monitoring service Etherscan shows the funds moving in 100 ETH sums, with the cross-chain decentralized exchange bridge AnySwap used to migrate funds from BSC to the Ethereum network.

Source: Etherscan

According to Uranium, the project has reached out to the Binance security team to prevent the hacker from moving more funds out of the BSC ecosystem.

Binance did not immediately respond to Cointelegraph’s request for comment. A spokesperson for Uranium revealed that the bug was yet to be patched and that users have been advised to stop providing liquidity on the project and to cash out their funds.

The team also created a Telegram group for victims of the hack while promising to provide updates on the progress being made to recover the stolen funds.

Wednesday’s hack is the second attack on the Uranium project in quick succession. Earlier in April, hackers exploited one of the platform’s pools, stealing about $1.3 million worth of BUSD and BNB.

Indeed, the incident led to the first migration to v2 less than two weeks ago. In a previous announcement, the Uranium developer team said that multiple entities had audited its v2 contracts and that it had learned from its previous mistakes.

Meanwhile, speculation is rife as to whether the attack was an inside job, given the sudden decision to engineer another version upgrade barely 11 days after completing the v2 migration.

Hacks associated with smart contract bugs are commonplace within the decentralized finance arena even for fully audited projects — as was the case with MonsterSlayer Finance earlier in April. Back in March, Meerkat, a Yearn.finance clone on the BSC, reportedly “exit-scammed” its users, stealing $31 million in the process.

Days later, the project’s developer team revealed the alleged “rug pull” was a test while outlining plans to return the funds. TurtleDex, another BSC-based project, also exit-scammed shortly after its launch, draining over 9,000 BNB tokens raised during the pre-sale.

Bitwise files for ETF tracking firms with big Bitcoin treasuries