Users now need to ask: how many more protocols are at risk?
At roughly 9 am UTC today Meerkat, a decentralized finance (DeFi) protocol on Binance’s smart contract platform, lost $31 million worth of BNB tokens. While the team initially claimed that they had been the victim of an exploit, they have since deleted all social channels, and due to the nature of the exploit some believe the team liquidated and pilfered user funds — a type of scam colloquially referred to as a “rugpull.”
A fork of Ethereum-native yield vault protocol Yearn Finance, Meerkat was just a few hours old when the attack drained its vaults. On-chain transactions show that an address upgraded the Meerkat deployer contract, granting the address permission to liquidate vault holdings. Users have now taken to Binance community channels to report their losses.
As of publication, Binance has released no official statement on the loss.
Given BSC’s centralized nature and the lack of a privacy-preserving “mixer” tool like Tornado Cash on the chain, some users are hopeful that Binance will be able to track down the responsible party and step in to mitigate the effects of the hack.
Team’s claiming it was a “hack” but the TXs don’t lead to that conclusion.
— Pen (@Crypto_Pen) March 4, 2021
However, Binance has yet to intervene in BSC traffic in such a manner, despite significant goading in the form of a racist yield farming project released last week.
Rugpull or exploit, there is now ongoing cause for concern for BSC users.
Last week an Ethereum-native yield vault project, Yeld, was drained of all funds from their stablecoin DAI vault. In a since-deleted blog post, the team warned that the exploit was the result of a flaw in the code they’d forked from Yearn, which the Yearn team had since patched. Dozens of other forked projects could be similarly exposed, they said.
While forking is common in Ethereum DeFi circles, BSC has elevated it to an art: many of the staple Ethereum dapps and even art projects have an exact Binance replica, meaning that previous attack vectors that plagued the DeFi summer may now have been reopened on the increasingly-popular chain.
Centralization and forking risks aside, the allure of cheap BSC transactions has nonetheless been too potent for many Ethereum developers to resist. A swath of teams including Harvest Finance, Value DeFi, Sushiswap, and 1inch have announced implementations on the chain.