bEarn Fi

bEarn Fi Hack - May 2021 ($11M)

Incident Overview

bEarn lost $11 million in stablecoins on May 16, with the Binance Smart Chain (BSC) based cross-chain auto yield farming protocol reporting the incident which resulted in the draining of the bVault BUSD Alpaca strategy. A little over $10.8 million BUSD was stolen by an attacker who used flash loans to exploit the system.

How the Attack Worked

The attacker took out a flash loan on Cream Finance for 7.8 million BUSD and used this to deposit and withdraw from the bVaults around 30 times. After this, the attacker withdrew 8.26 million BUSD and repaid the flash loan.

The incident was the result of the improper implementation of the withdraw function, with a mistake in using the smart contract from its launch allowing the strategy to withdraw more BUSD than needed.

Compensation Plan

Users were compensated with 87.5% of their deposits in BUSD immediately with an additional 7.5% in BDOv2 (bDollar) tokens. The final 10% was in BDEX which would be released over time, resulting in a total recompense of 105%.

Sources

• https://beincrypto.com/defi-protocol-bearn-suffers-11m-flash-loan-attack/

• https://www.chainsec.io/defi-hacks

• https://allinonecrypto.app/blog/crypto-news/defi-protocol-bearn-suffers-11m-flash-loan-attack/

• https://finance.yahoo.com/news/defi-protocol-bearn-suffers-11m-052524424.html

• https://cryptoslate.com/defi-platform-bearn-fi-promises-105-compensation-after-10-million-hack-but-is-it-the-right-thing/

• https://www.coindesk.com/bearn-fi-loses-11m-in-latest-exploit-of-a-binance-smart-chain-defi-protocol