Garuda, Cerberus, KetchupSwap and others affected
An anonymous hacker has used exploits to drain the value out of several yield farms on Binance Smart Chain. They managed to get away with millions of dollars.
On Wednesday, June 16th KetchupSwap, Lokum, YBear, Piggy, CaramelSwap, GoCerberus, and Garuda all saw their native tokens plummet to $0. A hacker managed to exploit these DeFi protocols, all built using the same systems.
The exact value stolen through the hack is still unclear. However, potentially the hacker got away with an amount of money comparable to the market cap of each of these projects. The GARUDA token has a market cap of around $2 million, while CERBERUS was closer to $4 million. Add the other farms, and we’re probably looking at a $10 million exploit.
The exploits were only aimed at native tokens of these Binance projects, allowing the hacker to massively amplify their rewards and then dump their excess tokens onto the market. It’s important to note that non-native tokens, like for example CAKE or BNB, aren’t affected by the exploit.
Most yield farms on Binance Smart Chain use the MasterChef contract to distribute rewards. This contract was designed to distribute rewards for liquidity pool tokens, but all these farms also used the MasterChef contract for other types of rewards. One of the latest trends in DeFi, is adding a transaction fee to any transaction on the platform.
Ultimately this gave space for the hacker to exploit the contract. Because the MasterChef contract was never designed to compare user balances and pool balances, users were able to generate so many tokens in a single harvest that they could instantly empty the pool. Basically, the hacker could generate thousands of tokens, even if there was only one token in the pool. This happened to GarudaSwap, Cerberus, KetchupSwap, and all others.
Already an answer
Cerberus and Garuda have initiated the Thoreum Finance initiative, which introduces improved smart contracts. Users holding one of these tokens, will be compensated. The team is planning to launch a new platform, and they will use a snapshot moment from before the exploit, to determine how many tokens everybody had. However, Thoreum Finance won’t have their emergency program ready this week.
“We know that this should happen soon so we are talking with a professional team to do this service for us. But this will take time, because it is complicated, so please be patient with us!”, project leader ZeusThunder wrote in a statement.