Uranium Finance
HackedDeFi · born 2021 · ✝ 2021
A migration typo handed an attacker the whole pool.
Uranium Finance was a BNB Chain automated market maker forked from Uniswap. During a v2 migration in 2021 a bug in its pair math let an attacker drain roughly $57.2M.
- Peak
- ~$57.2M stolen
- Cause
- Hacked
- Year of death
- 2021
☠️ Cause of death
A mistaken constant in the rebalanced pair contract corrupted the invariant check, letting the attacker swap out nearly the entire pool for almost nothing.
📓 Lessons left behind
- —Audit forked code line-by-line, not just the original.
- —Math constants changed during a migration must be reverified.
- —AMM invariant checks are the last line of defense and must hold.
🌱 The idea that survived
Invariant testing
Reinforced the need for property-based and invariant tests on AMM swap math before deployment.
#defi#amm#math-bug#bsc