Iron Finance DeFi Exploit Explained in Post Mortem

2 mins
17 March 2021, 05:53 GMT+0000
Updated by Kyle Baird
17 March 2021, 05:53 GMT+0000
In Brief
  • Iron Finance exploit results in $170,000 loss.
  • The team made a mistake after a FaaS upgrade.
  • Farms and tokens will be relaunched to reimburse users
  • promo

The latest decentralized finance protocol to get exploited is Iron Finance. The platform lost $170,000 from its liquidity pools following erroneous actions by the team.

Iron Finance is a partially collateralized stablecoin platform based on the Binance Smart Chain (BSC).

It reported that on March 16, two Iron Finance vFarm pools were “subject to an incident”. This ordeal resulted in the loss of user deposits.

It claims that an attacker managed to exploit the system and drain the pools. The bad actor(s) made off with $170,000 worth of its native SIL tokens. These were then sold for BUSD (Binance’s stablecoin) on the markets.

Resetting the Iron Finance Farms  

Value DeFi posted on Telegram explaining that a cloud service (FaaS) upgrade changed the reward rate integer. However, the Iron Finance team was unaware. It updated the pools with a different reward rate integer which is what caused the incident.

The pool rewards were inflated by the error and someone took advantage by draining all SIL rewards and selling them. The IRON/SIL and IRON/BUSD pools were affected.

The team claims that there was no flaw in the Iron Finance smart contracts and has taken responsibility for the incident.

It explained that vFarms will be relaunched on March 18 and the SIL token will be relaunched as sIRON. Iron Finance also published a document for affected users to enter their details. This is likely to help coordinate a refund process for the new tokens.

The update told users not to sell or redeem their IRON tokens for the time being. When the new pools launch on March 18, the full amount of BUSD will be redeemable.

The protocol was launched on BSC in early March with an IRON stablecoin pegged to USD. It’s partially backed by collateral like BUSD and USDT and partially backed algorithmically by SIL.

Decentralization Debate

The token relaunch is good news for those that lost funds. However, it cannot really be described as DeFi if some have the power to reset the system.

Similar incidents have occurred with Yam Finance and a number of other platforms in the past. The fledgling financial landscape is still evolving, striving for a balance between security and full decentralization.

Earlier this month the BSC-based DODO exchange was exploited for almost $2 million. As BSC grows, Binance’s blockchain is becoming a bigger target for malicious actors.


BeInCrypto has reached out to company or individual involved in the story to get an official statement about the recent developments, but it has yet to hear back.