It’s another day, and another decentralized finance (DeFi) flash loan exploit has reared its head. The latest victim is bEarn, which lost $11 million in stablecoins on May 16.
The Binance Smart Chain (BSC) based cross-chain auto yield farming protocol bEarn reported the incident which resulted in the draining of the bVault BUSD Alpaca strategy. A little over $10.8 million BUSD was stolen by an attacker who used flash loans to exploit the system.
The incident was the result of the improper implementation of the withdraw function, the report explained, adding that a mistake in using the smart contract from its launch allowed the strategy to withdraw more BUSD than needed.
The attacker took out a flash loan on Cream Finance for 7.8 million BUSD and used this to deposit and withdraw from the bVaults around 30 times. After this, the attacker withdrew 8.26 million BUSD and repaid the flash loan.
bEarn contacted Binance to get the attackers address blocked and prevent them transferring funds. It also froze all of its bVaults to prevent any further losses and contacted security firms to analyze the code. A snapshot was also taken of liquidity providers addresses in order to work on a compensation plan.
“We will create a compensation fund which will consist of a combination of the remaining saved funds, Dev Fund, DAO Fund and a portion of fees generated by the protocol.”
At the time of writing, bEarn’s algorithmic stablecoin had dumped 11% on the day and was trading well below a dollar at $0.24.
DeFi compensation funds
Users will be compensated with 87.5% of their deposits in BUSD immediately with an additional 7.5% in BDOv2 (bDollar) tokens. The final 10% will be in BDEX which will be released over time, resulting in a total recompense of 105%.
As attacks escalate, compensation plans are becoming more frequent and it’s likely that all DeFi projects will need to allocate a slice of their token supply for such purposes.
On May 16, BeInCrypto reported that staking platform xToken had allocated 2% or 20 million tokens to compensate victims of a similar exploit in which it lost $24 million.
Rari Capital, which was exploited on May 8 also using flash loans, made similar plans to use 2 million tokens to reimburse victims.