Allbridge suffered a flash loan attack for $573k
Summary
On April 2, 2023, AllBridge, a multichain token bridge, fell victim to an exploit that resulted in approximately $573,000 worth of assets being drained from its BNB Chain pools. The attacker, acting as both a liquidity provider and a swapper, exploited a flaw in a smart contract that enabled them to manipulate swap prices. This led to the theft of $282,889 in Binance USD (BUSD) and $290,868 in Tether (USDT).
Attackers
The identity of the attacker is unknown.
BSC:
Losses
- $573,000
Timeline
- April 2, 2023: The Allbridge exploit occurs. The bridge is promptly shut down to prevent further attacks on other pools.
- April 3, 2023, 07:13:26 PM +UTC: The team sends on-chain message to attackers, offering a white hat bounty for the return of the stolen assets and promising not to pursue legal action if the funds were returned.
- April 3, 2023, 04:07:52 PM +UTC The attacker returns around 1500 BNB ($466,144) to the project
- April 5, 2023: A significant amount of BNB, approximately 507.3 BNB worth about $159K, is transferred from an address labeled as Allbridge Exploiter to Tornado Cash.
Security Failure Causes
- Smart Contract Vulnerability: The root cause of the exploit was a flaw in the withdraw function of the smart contract. This flaw allowed the attacker to manipulate the swap price in the liquidity pool to their advantage.