After four years of investigations, U.S. authorities have finally seized $31 million in cryptocurrency related to the devastating 2021 Uranium Finance hack. On Monday, the Southern District of New York announced the seizure as a coordinated effort with the Homeland Security Investigations of San Diego.
The attackers laundered the money through crypto mixers and central exchanges, transferring small amounts simultaneously to avoid detection. But what's even more astonishing is that they used the blockchain game Magic: The Gathering, using trading cards to mix the stolen funds. According to Zack XBT, a blockchain researcher, the attackers attempted to launder more money by exploiting this seemingly innocuous move.
Victims of the attack were left stranded, not knowing what was happening behind the scenes, heightened by the fact that Uranium Finance’s website shut down on April 28, 2021, and their X account hasn’t made a post since April 30, 2021. The breach allowed attackers to inflate the project's balance, manipulate token pairs, and drain funds from liquidity pools.
A brief inspection of the original Uniswap code reveals that a value of 1,000 is applied to a pair swap, allowing the new X and Y values of the output to apply a new fee. However, Uranium Finance forked this code with a magic value of 10,000 instead of 1,000, creating a discrepancy that can be exploited to inflate prices.
Uniswap is a very popular swapping protocol, having experienced many transactions and, therefore, having many more security patches. But the problem lies when a fork happens without the development team moving over to the new project. In this case, Uranium Finance's fork used a magic value of 10,000, which meant that a swap was guaranteed to be 100 times larger than the K value before the swap.
This disparity allowed the attacker to drain liquidity pools of pair tokens and further facilitated their withdrawal and obfuscation process. They mixed the stolen tokens using Tornado Cash and deposited the new tokens into a centralized exchange, leaving authorities with a daunting task: tracking down the stolen tokens.
The attackers seemed to have been meticulous in their hack, raising questions about how the authorities managed to track the stolen tokens. The authorities have not revealed all the details about the seizure of funds, and more information may be released later.
The attack spanned multiple tokens, with Binance's Blockchain Token (BNB) and Binance's Stablecoin (BUSD) losing $18 million, Ethereum (ETH) and Binance's Wrapped Bitcoin (BTCB) losing around $9 million, USDT losing around $6.7 million, and DOT, ADA, and Uranium Finance Token losing $1.7 million.
Open information from BscScan shows the attackers swapping ADA and DOT for Ethereum, preparing to launder the tokens, and accumulating around 2,400 ETH, which amounts to around $5.7 million. These tokens were mixed with Tornado Cash, an Ethereum anonymity and privacy tool, further complicating the investigation.
The Uranium Finance hack serves as a stark reminder of how easy it is to exploit Web 3.0 platforms by noticing a single code mistake. Discrepancies between forked and original projects are especially risky because they often fail to transfer human capital, experience, funding, and teamwork from the original project.
In this case, Uranium Finance's smart contract was vulnerable due to a K invariant exploit. The authorities' seizure of $31 million in cryptocurrency marks a significant victory in their efforts to combat cybercrime and protect investors.