DeFi Platform bEarn loses $10.8 M in a latest hack

Binance Smart Chain (BSC) based DeFi protocol, Bearn.Fi has been targeted by hackers in an $11 million heist. According to a report by PeckShield Inc., a blockchain security company that claims to be focused on elevating the security, privacy, and usability of the blockchain ecosystem, the attack was launched on May 16, at exactly 10:36 AM +UTC.

‘BearnFi’s BvaultsBank contract was exploited to drain about $11 million of users’ funds from the pool. The incident was due to a bug in its internal withdraw logic in inconsistently reading the same input amount but with different asset denomination between BvaultsBank and the associated strategy BvaultsStrategy.”

Incident Report

The incident was the result of the improper implementation of the withdraw function, the report explained, adding that a mistake in using the smart contract from its launch allowed the strategy to withdraw more BUSD than needed.

The attacker took out a flash loan on Cream Finance for 7.8 million BUSD and used this to deposit and withdraw from the bVaults around 30 times. After this, the attacker withdrew 8.26 million BUSD and repaid the flash loan.

bEarn contacted Binance to get the attackers address blocked and prevent them from transferring funds. It also froze all of its bVaults to prevent any further losses and contacted security firms to analyze the code. A snapshot was also taken of liquidity providers addresses in order to work on a compensation plan.

Fallout

The platform announced:

“We will create a compensation fund which will consist of a combination of the remaining saved funds, Dev Fund, DAO Fund and a portion of fees generated by the protocol.”

At the time of writing, bEarn’s algorithmic stablecoin had dumped 11% on the day and was trading well below a dollar at $0.24.

Monetary Remedies

Users will be compensated with 87.5% of their deposits in BUSD immediately with an additional 7.5% in BDOv2 (bDollar) tokens. The final 10% will be in BDEX which will be released over time, resulting in a total recompense of 105%.

As attacks escalate, compensation plans are becoming more frequent and it’s likely that all DeFi projects will need to allocate a slice of their token supply for such purposes.

Validity of a Knee-Jerk Reaction

While bEarn customers were definitely happy to hear the news, some pointed out that the immediacy of compensations after a hack may create a “distorted perception of risk” for DeFi users and devalue insurance protocols. Promising a full compensation just a few hours after a hack seems to become a common theme. It creates a distorted perception of risk for the users and hurts the adoption of insurance protocols. DeFi has grown far past the value where these expectations hold true.