Uranium Finance Hack — April 28, 2021
What Happened
Uranium Finance, a BSC-based AMM/yield-farming DeFi protocol, was hacked for $50M on April 28, 2021 during the v2.1 migration. A second smaller attack on April 29 drained another $4M, totaling ~$57M.
Root Cause: AMM Migration Math Error
The vulnerability was a critical flaw in the migrated AMM contract:
• Uranium V2 introduced a magic number change: fee multiplier from 100010000
• BUT one critical balance-check assertion still used the OLD value 1000
• Result: the post-swap K invariant was guaranteed to be 100× larger than pre-swap K when no token balance changed
• An attacker could swap a minimal input (e.g. 1 wei) and receive nearly the entire pool's reserves
Attack Mechanics
1. Attacker swapped tiny input amounts via the buggy swap() function
2. The faulty K-check accepted the trade as valid
3. Drained nearly all liquidity from every pool
Stolen Assets
• 80 BTC
• 1,800 ETH
• 17.9M BUSD
• 5.7M USDT
• 638,000 ADA
• 26,500 DOT
• 34,000 wBNB
• 112,000 U92 (native token)
Timing
• Attack occurred ~2 hours BEFORE the v2 launch that would have fixed the bug
• Suggests insider knowledge — exploiter knew about the migration window
Aftermath
• US prosecutors filed an indictment in 2024 against an alleged perpetrator
• Funds laundered through Tornado Cash; some recovered through enforcement actions
• Project never recovered; Uranium Finance was abandoned
References