PeckShield Brief Analysis of BurgerSwap Lightning Loan Attack: The logic behind the DeFi protocol is more important than the code

0

 482 total views

For the current BurgerSwap and JulSwap, and even other Fork Uniswap agreements, it is too early to talk about surpassing Uniswap.

Original title: “BurgerSwap and JulSwap Flash Loan Attack Revelation-Do you really understand Uniswap? 》
Written by: PeckShield

The implementation of the BSC chain in 2021 will push Decentralized Finance (DeFi) to another boom. The total lock-up value of the DeFi protocol once hit 130 billion U.S. dollars. The entire currency circle is crazy, and various DeFi protocols have sprung up. , But with the sharp drop in the price of Bitcoin and frequent security incidents, the lock-up volume of the DeFi protocol began to show a downward trend.

In the early days, the fixed and lower transaction fees provided by BSC and the developer-friendly operating system attracted a number of DeFi protocols to migrate to the new chain. At the same time, it also attracted a number of players who positioned themselves as Uniswap challengers. AMM. Of course, from the current situation, they are just simple forks.

On May 28, the first autonomous governance AMM BurgerSwap on the BSC chain and the DEX protocol JulSwap were attacked by lightning loans one after another. It is worth noting that the codes of BurgerSwap and JulSwap are both Fork Uniswap, but it seems that they do not fully understand the logic behind Uniswap.

If you don’t fully understand the mathematics behind Uniswap, why imitate it? In order to quickly get the favor of capital? Or are you afraid to miss the traffic brought by hotspots? We couldn’t stop the imitation from happening, but we quickly saw the result: BurgerSwap lost $7 million, and $JULB fell by more than 95% in a short time.

PeckShield security personnel quickly located BurgerSwap. The reason for the lightning loan attack was that the attacker used the reentrance attack to call the _update() function before the smart contract normally started the second deposit, and first exchanged 45,453 BURGER. .

PeckShield briefly describes the attack process:

PeckShield Brief Analysis of BurgerSwap Lightning Loan Attack: The logic behind the DeFi protocol is more important than the code

  • The attacker borrowed 6,047.13 WBNB flash loans from the PancakeSwap WBNB-BUSDT pool;
  • In BurgerSwap, call the function DemaxPlatform.swapExactTokensForTokens() to convert 6,029 WBNB to 92,677 BURGER;
  • Create counterfeit BURGER-Fake LP on BurgerSwap platform, and issue 100 counterfeit coins and 45,316.6 BURGER;
  • Exchange 100 counterfeit coins into 45,316.6 WBNB;
  • In this step, the attacker attacked the contract through a reentry attack and made another exchange, which was 45,453 BURGER to 4,478.6 WBNB;

The attacker obtained a total of 8,800 WBNB from the above two steps. Then, the attacker exchanged 493 WBNB for 108,700 BURGER in BurgerSwap and returned the flash loan to complete the attack.

“The excellent imitate, the great plagiarize.”

For the current BurgerSwap and JulSwap, and even other Fork Uniswap agreements, it is too early to talk about surpassing Uniswap.

The DeFi field is an important part of the development of the blockchain field, but it is currently in an era when DeFi protocols are over-issued. With the passage of time, the waves are washed away, and those DeFi protocols that focus on safety and care for their feathers can survive.

PeckShield reminds Fork Uniswap that the DeFi protocol must self-check the code, eliminate similar vulnerabilities, or seek help from professional code audit attacks. After all, Attacker is watching you!

Disclaimer: As a blockchain information platform, the articles published on this site only represent the author’s personal views, and have nothing to do with the position of ChainNews. The information, opinions, etc. in the article are for reference only, and are not intended as or regarded as actual investment advice.

Adblock test (Why?)

Disclaimer:

Blockcast.cc does not endorse any content or product on this page. While we aim at providing you all important information that we could obtain, readers should do their own research before taking any actions related to the company and carry full responsibility for their decisions, nor can this article be considered as investment advice or recommendations. Every investment and trading move involves risk, you should conduct your own research when making a decision.