Belt Finance has become the latest Binance Smart Chain-based decentralized finance, or DeFi, protocol to lose millions to an opportunistic hacker.
The Rekt Blog, which post mortems DeFi exploits, stated that an attacker took advantage of a flaw in the way the protocol’s vaults calculates the value of its collateral which helped to “add another notch to the now infamous flash loan exploit season on the BSC,” adding:
“Yet another fork of a fork has rolled off the conveyor belt with $6.3M falling straight into the hands of the hacker.”
Rekt revealed that a total of eight flash loans were made on PancakeSwap for $385 million BUSD. The beltBUSD vault’s “Elipsis” strategy was exploited as it was the most undersubscribed strategy on the platform.
Belt Finance uses an optimal yield aggregator to offer passive yield generation to depositors. Elipsis is a decentralized exchange that enables swapping of stablecoins with low slippage on the Binance Smart Chain. The beltUSD vault also deploys capital on the BSC-based protocols Venus, Alpaca, and Fortube for yield generation.
On May 30, SushiSwap core developer Mudit Gupta posted a Twitter thread assessing the incident, describing the flash loan attack as one of the “more complex hacks.”
Belt’s vaults operate with a target balance for each strategy employed, he explained. When a user deposits money into a vault, the capital is allocated to the most undersubscribed strategy. When someone withdraws money from the vault, it withdraws it from the most oversubscribed strategy.
Gupta asserted the attacker exploited this system to make several transactions across multiple strategies, inflating the value of its pools before repaying the flash loan and pocketing more than $6 million in profits. Gupta concluded:
“Basically, the issue happened because Belt incorrectly integrated with Elipsis. A similar issue happened last month as well in belt finance but at that time, the problem was a buggy integration with Venus. I wonder if belt has any bug-free integration.”
Venus is another BSC protocol for lending and borrowing via the minting of synthetic stablecoins.
Belt Finance is the latest in a lengthening list of BSC DeFi protocols to get exploited. On May 28, the BurgerSwap DEX was attacked resulting in the draining of $7.2 million.
So far this year, Cream Finance, bEarn, Bogged Finance, Uranium Finance, Meerkat Finance, SafeMoon, and Spartan Protocol have all suffered exploits on Binance Smart Chain. Binance has now turned to blockchain intelligence company CipherTrace for analytics support in a bid to mitigate further incursions.