The $50 million exploit of Uranium Finance, a decentralized finance protocol on Binance Smart Chain, may have been an inside job, according to a member of the project’s development team.
The theory was put forward in Uranium Finance’s Telegram channel by a user named “Baymax,” who appears to be listed as an administrator. In a pinned post, Baymax explained that the security flaw leading to the exploit happened just two hours before version 2 of the protocol was launched. The suspicious timing of the exploit narrows down the list of potential perpetrators significantly.
“There are a total of 7 people in Uranium who knew of the exploit. Outside of Uranium would be the 3 auditors contractors and their respective sub cons who may be aware of this flaw.”
“From the information that we gathered with the community input, it leans towards that someone leaked information that may have led to exploiters finding out about our vulnerabilities.”
No team members are listed on Uranium Finance’s official website, so it’s difficult to extrapolate further regarding how the exploit took place or who may have been responsible.
Baymax urged the Telegram channel's over 4,100 members to message them directly and avoid any contact with other moderators or team members. In the meantime, affected users have also been asked to stop adding liquidity and to cash out if at all possible.
A separate Telegram group for victims of the attack has already been created, with over 1,200 members at the time of writing. In a pinned message, Baymax told affected users that they will provide further updates as they come. "[W]hales or users that lost more than $300K+ should pm me," they said.
The stolen funds are already on the move, with the perpetrator funneling millions through Tornado Cash, an Ethereum-based privacy tool.
Security exploits and hacks are nothing new for the cryptocurrency community. According to at least one estimate, there were 122 crypto-related hacks in 2020 alone, with the exploited assets worth billions at today’s prices.