A flash loan attack on the BNB Chain has resulted in the largest single arbitrage profit in its history, according to security experts.
The attacker exploited a price manipulation vulnerability on the BH token (BH) and made off with $1.27 million in USDT.
As reported by Chinese journalist Colin Wu on Oct. 11, the attacker used a bot to borrow a large amount of USDT from a lending platform and then manipulated the price of BH on PancakeSwap, a decentralized exchange on the BNB Chain.
According to EigenPhi, on October 11, MEV Bot: 0x21…480C on BNB Chain made a profit of US$1.575 million through a flash loan attack on the Pancakeswap BH/USDT trading pair for only $4.16, becoming the largest single arbitrage profit in the history of BNB Chain. According to…
— Wu Blockchain (@WuBlockchain) October 12, 2023
The bot then swapped USDT for BH at a low price and removed liquidity from the BH/USDT pair at a high price, earning a massive profit in the process. The bot spent only $4.16 in fees for the attack and transferred all the profits to the crypto mixing service Tornado Cash.
You might also like: FTX founder Sam Bankman-Fried’s trial day 6: Recap
Beosin, a blockchain security company, explained the details of the attack on X. They said the attacker exploited a function in the BH contract that allowed them to add USDT to the contract without affecting the liquidity ratio.
$BH token on BNB Chain was exploited for ~$1.27M due to suspected price manipulation. The profits were sent into Tornado Cash.
Attacker: 0xFDbfcEEa1de360364084a6F37C9cdb7AaeA63464The attacker flashloaned a large amount of $USDT, then called 0x33688938() to add $USDT to the… pic.twitter.com/POppQswi7u
— Beosin Alert (@BeosinAlert) October 11, 2023
The contract assumed the liquidity ratio was about 1 USDT:100 BH. However, the attacker changed it to 1 USDT:2 BH by swapping USDT for BH through PancakeSwap. This way, the attacker could withdraw more USDT than they deposited.
Beosin warned that this was a premeditated attack on the BH token. Moreover, PeckShield, another blockchain security firm, confirmed on X that the address involved in the attack initially received funds from Tornado Cash.
In a flash loan attack, the attacker quickly borrows a large sum of an asset with no collateral from a DeFi lending platform, uses it to manipulate vulnerabilities in other protocols, and repays the loan within the same transaction, often resulting in significant profits at the expense of the targeted protocols.
