Allbridge suffered a flash loan attack for $573k

April 2, 2023

Summary #

On April 2, 2023, AllBridge, a multichain token bridge, fell victim to an exploit that resulted in approximately $573,000 worth of assets being drained from its BNB Chain pools. The attacker, acting as both a liquidity provider and a swapper, exploited a flaw in a smart contract that enabled them to manipulate swap prices. This led to the theft of $282,889 in Binance USD (BUSD) and $290,868 in Tether (USDT).

Attackers #

The identity of the attacker is unknown.

BSC:

source

Losses #

$573,000

Timeline #

April 2, 2023: The Allbridge exploit occurs. The bridge is promptly shut down to prevent further attacks on other pools.
April 3, 2023, 07:13:26 PM +UTC: The team sends on-chain message to attackers, offering a white hat bounty for the return of the stolen assets and promising not to pursue legal action if the funds were returned.
April 3, 2023, 04:07:52 PM +UTC The attacker returns around 1500 BNB ($466,144) to the project
April 5, 2023: A significant amount of BNB, approximately 507.3 BNB worth about $159K, is transferred from an address labeled as Allbridge Exploiter to Tornado Cash.

Security Failure Causes #

Smart Contract Vulnerability: The root cause of the exploit was a flaw in the withdraw function of the smart contract. This flaw allowed the attacker to manipulate the swap price in the liquidity pool to their advantage.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam