Three days and some hours after we reported the flash loan attack on BurgerSwap that resulted in a $7.2 million loss, another Binance Smart Chain powered DeFi protocol, Belt finance, has suffered the same fate.
The automated market marker announced that hackers created a smart contract via PancakeSwap to coordinate the flash loan attack and exploited its beltBUSD pool.
“On May 29, 2021, a flash loan attack was initiated on the BSC 4Belt (USDT/USDC/BUSD/DAI) pool.
“The attacker created a smart contract that used PancakeSwap for flash loans and exploited our beltBUSD pool and its underlying strategy protocols and then proceeded to execute the contract 8 times for a total profit of 6,234,753 BUSD. beltBUSD vault users suffered a 21.36% loss of funds, while 4Belt pool users suffered a 5.51% loss of funds. No other pools/vaults were affected.” A release on their medium account read.
Belt finance are said to be pondering a “compensation plan” for investors.
Withdrawals and deposits are currently suspended but will resume in the next 24-48 hours.
“We paused withdrawals and deposits as soon as we were aware of the attack to prevent further losses and protect our users and their assets. While we are aware that this may cause our users inconvenience, it was done to prevent the same exploit from attacking our other vaults/pools.
“All other pools/vaults and all funds remain unaffected and safe from this attack, and we have now patched the attack vector that allowed this exploit of 4Belt and beltBUSD.
“As our contracts are time-locked, withdrawals & deposits of funds will resume within the next 24–48 hours. Rest assured that your funds are safe, and we are devising a compensation plan that will be released within the next 48 hours.” An official statement from the company read.