Belt Finance, a platform that provides automated market making for decentralized finance (DeFi), was hacked Saturday in a flash loan attack that resulted in a profit of $6.23 million for the perpetrator and an overall $50 million loss for the platform.
- It's the latest attack on a DeFi protocol built on Binance Smart Chain, one of the so-called Ethereum killers that's built by centralized crypto exchange giant Binance.
- In a blog post, Belt Finance said the attacker created a smart contract that used PancakeSwap for flash loans and exploited its beltBUSD pool and its strategy protocols and then proceeded to execute the contract eight times for a total profit of 6.23 million BUSD (US $6.23 million).
- BeltBUSD vault users suffered a 21.36% loss of funds, while 4Belt pool users lost 5.51%, the protocol said. No other pools/vaults were affected. Overall, the attack cost the beltBUSD pool a combined loss of 50m BUSD (US $50 million) consisting of 43.8m in fees and the 6.23 million BUSD that the attacker withdrew as profit.
- The protocol said it paused withdrawals and deposits as soon as it were aware of the attack and that the vulnerability that allowed the attack to occur has been patched.
- In its blog post dated Sunday, Belt Finance said withdrawals and deposits would resume sometime in the next 24 to 48 hours and that it's working on a "compensation plan" that will be released in next 48 hours.
UPDATE (May 30, 23:14 UTC): Adds that beltBUSD pool’s loss was a total 50 million BUSD with the 43.8 million in fees added to the 6.23 million in profits taken by the attacker.