How Hackers are Disrupting Projects on BSC

How Hackers are Disrupting Projects on BSC

Over the years, we’ve witnessed several game-changing hacks of BSC DeFi products.

Hackers have been successful in breaking into more than 5 BSC-based projects, making off with the equivalent of about $300 million in cryptocurrency.

Let’s first of all review the top 5 cases when it comes to BSC-based project hacking. 

1 The Qubit Finance DeFi Platform Hack – $80 million

Hackers took advantage of a vulnerability in the QBridge cross-chain service, which enabled them to generate an «astronomical» number of xETH tokens. The latter was put up as collateral for an illegal loan that was taken out through the site.

You’re able to take out loans via Qubit Finance that are secured by digital assets. The QBridge technology gives users the opportunity to utilize cryptocurrencies as collateral for loans even when the BSC is not involved. They also don’t have to be transported from one blockchain to another when being transferred to another.

According to the explanation provided by the security company CertiK, the vulnerability gave attackers the ability to issue xETH without really making a payment. Following that, they changed the assets into BNB.

2 The PancakeBunny DeFi Project Token Hack

A flash lending system launched an attack against the yield aggregator PancakeBunny, which resulted in a decline of more than 95 percent in the value of the project’s token.

According to PancakeBunny, the hacker influenced the price of BNB coins relative to the Binance USD stablecoin and Bunny tokens by using PancakeSwap to borrow enormous sums of BNB coins. The enormous quantities of Bunny tokens that the hacker had obtained were subsequently dumped onto the market. As a direct consequence of this action, the price of the asset plummeted from $146 to $6.17 – this marks a drop of more than 95 percent.

3 The DeFi protocol xToken Hack – $25 million lost

Around 10 minutes after it had begun, the professionals observed «discrepancies in pricing and supply,» and they halted the operation of the smart contracts as a result.

The xBNTa and xSNXa liquidity pools were promptly depleted once the unknown had intervened. Both BNT and SNX tokens stayed put in their respective xToken contracts. Since the hacker used Ethereum as part of a debt hedging plan, he was able to steal 416 ETH from the xSNX contract without getting caught.

The asset value of the liquidity pools Bancor and Balancer decreased by around $25 million.

The attacker obtained a payday loan in the amount of 61,800 ETH and then utilized two vulnerabilities:

– An unknown user managed to utilize the cryptocurrency to manipulate the Kyber Network’s oracle, which gives data on the price of SNX to the blockchain. The hacker was able to create a huge quantity of synthetic tokens, which were subsequently exchanged for ETH and SNX.

– Because xBNT is a «wrapped» token, a promise in BNT is required before it can be issued. The xToken smart contract, on the other hand, did not check for this dependence. Because of this weakness, the hacker utilized less expensive SPD tokens.

4 Attackers steal $6.2 million from Belt Finance’s DeFi Protocol 

The scammer managed to withdraw funds over the course of 8 separate transactions.

On the PancakeSwap platform, the attacker borrowed $385 million in BUSD. He then put $10,000 into the bEllipsisBUSD plan. The hacker put $187 million in BUSD into the bVenusBUSD scheme seven times in a row. He then used the Ellipsis platform to trade $190 million in BUSD for $169 million in USDT. 

Following that, the attacker withdrew more BUSD from the bVenusBUSD strategy and used the Ellipsis platform to trade $169 million in USDT for $189 million in BUSD. He then funded the bVenusBUSD plan using BUSD. Finally, the hacker repaid the quick loans and pocketed the proceeds.

He did this since the price of beltUSD is determined by the sum of all strategies’ balances on the site. Manipulation of these tactics thus implies the capacity to impact the price of a Belt Finance platform asset.

5 Hackers withdraw over $13 million from the Deus Finance DAO DeFi protocol

The attacker took funds worth around $13.4 million from smart contracts, according to PeckShield, but the project itself «may have lost more». An anonymous user removed almost $3 million from the protocol in March 2022, comprising 200,000 DAI and 1,101.8 ETH. To do this, he employed fast loans. The assets gained in this manner allowed the hacker to control the oracle that calculates the USDC/DEI pair’s pricing. According to analysts, a similar attack vector was utilized on April 28.

The attack was made possible through an immediate loan aimed at manipulating a pricing oracle that reads data from the USDC/DEI pair. Following that, the altered DEI collateral price was utilized to borrow and deplete the pool.

The hacker spent 800 ETH ($2.31 million) to launch the attack, according to the business. He transmitted cash to the Fantom network through the Tornado Cash mixer and the Multichain cross-chain protocol. The attacker exchanged the stolen funds for Ethereum.

Hacking methods unpacked

Now you’re familiar with some of the most famous case studies, we can move on to examining the most prevalent methods for hacking the online terminals of cryptocurrency exchanges, which allow hackers to clean the hot wallets of trading platforms.


Cross-Site Scripting attacks are possible on almost all trading terminals. Using the discovered vulnerabilities, attackers insert malicious code onto the online resource page, redirecting traders to third-party web resources and/or infecting users’ devices with harmful malware. Stealer infections, for example, steal passwords from wallets or change the sender’s address in the clipboard.

Configuration Vulnerabilities

HTTP headers may be missing from web terminals, which increases protection against some sorts of hacker assaults. The ContentSecurity-Policy header, for example, guards against malicious content injection attacks such as XSS assaults, X-Frame-Options protects against Clickjacking attacks, and Strict-Transport-Security enforces a secure connection using HyperText Transfer Protocol Secure (HTTPS).

Vulnerabilities in code

According to Coverity, a business that specializes in software quality and security testing solutions, there are 0.52 mistakes for every 1000 lines of code in open source products and 0.72 errors in proprietary goods (the quality standard is fewer than 1 error per 1000 lines of code). These flaws may have a detrimental impact on the platform’s security.

Even if the exchange’s engineers create the code flawlessly, there is always the possibility of a vulnerability in third-party software. For example, flaws in the operating system, payment gateway, or messenger can be used to phish or install malicious malware on exchange employees’ devices.

Smart contract weaknesses

Hackers find a flaw in the wallet’s smart contract code, allowing them to grab control of the victim’s cash. Furthermore, this might be a targeted assault on a particular wallet or a mass attack if several wallets are vulnerable.

Phishing and social engineering

The most common method of hacking accounts is to take advantage of human flaws. Malefactors disguised as exchange representatives get access to employees’ computers (which might take months to complete) and steal secret keys. Hacking a private account is significantly easier now that Google Play is available.

SMS authentication

If attackers are aware that a certain individual is trading or functioning as an administrator of a cryptocurrency exchange, his SMS can be intercepted and utilized in authentication or access recovery procedures.


Hackers will continue to find a source of profit in compromising cryptocurrency exchanges for a considerable amount of time to come, given the high level of consumer interest in virtual currencies. Even while the administration of the exchanges is aware of the most common hacking techniques, they are unable to predict whether or not their website will be hacked and how exactly this would occur due to the fact that each usage of bugs is a unique circumstance.