Exploiter Takes Advantage of BNB Vulnerability and Uses $4 to Steal $1.27 Million

Recently, the BNB chain became the scene of an attack that highlighted these concerns. An attacker, using a flash loan, managed to turn just $4.16 into an impressive $1.27 million. This event marked the largest single arbitrage profit in the history of BNB Chain.

The attack took place on October 11 on the Pancakeswap BH/USDT trading pair. The perpetrator, identified as “MEV Bot: 0x21…480C”, executed an audacious flash loan attack in the amount of $1.27 million.

$BH token on BNB Chain was exploited for ~$1.27M due to suspected price manipulation. The profits were sent into Tornado Cash.
Attacker: 0xFDbfcEEa1de360364084a6F37C9cdb7AaeA63464

The attacker flashloaned a large amount of $USDT, then called 0x33688938() to add $USDT to the… pic.twitter.com/POppQswi7u

— Beosin Alert (@BeosinAlert) October 11, 2023

But What Exactly is a Flash Loan Attack?

Flash loan attacks are a form of exploitation in the decentralized finance (DeFi) space, which make use of flash loans, characterized by not requiring collateral.

In essence, a user can borrow assets without needing to provide collateral, with the condition of returning the borrowed amount in the same block of transactions.

If the borrower fails to meet this condition, the blockchain will reverse the transaction, ensuring that the lender does not lose any funds.

The attacker secured a flash loan, giving him immediate access to a substantial amount of capital without the need for collateral. With these borrowed assets, he manipulated prices on decentralized exchanges (DEX) by executing high-volume trades.

This intentional market manipulation created arbitrage opportunities: the attacker bought assets at a low price on one platform and sold them at a higher price on another.

After obtaining the profits, the attacker quickly repaid the flash loan within the stipulated transaction block and pocketed the remaining profits.

This attack focused on manipulating liquidity ratios in a liquidity pool, allowing the attacker to withdraw a much larger amount of USDT than they initially invested. This benefit, astonishing in its magnitude, amounted to $1,575 million.

The attacker subsequently transferred all the profits, a total of $1.27 million, to Tornado Cash, a privacy-focused Ethereum mixing service, making it difficult to trace the source of the funds.

While the exact vulnerability that enabled this attack on Pancakeswap BH/USDT on BNB Chain is not yet known, possible weaknesses are suggested based on previous attack patterns and general knowledge about DeFi.

Vulnerabilities can include bugs in smart contracts, oracle manipulation, and exploitable price distortions in liquidity pools.

Oracles, which provide external data such as asset prices to blockchain platforms, can be falsified or manipulated, creating artificial price discrepancies ripe for exploitation.