Binance Smart Chain DeFi Project Impossible Finance Hacked


Reaction score

Yet another DeFi project on the Binance Smart Chain has been exploited. This time, attackers nabbed $500,000 from Impossible Finance in a flash loan attack.​


Decentralized finance (DeFi) protocol Impossible Finance has lost as much as $500,000 in user funds during a flash loan attack today. The attack on Impossible Finance’s liquidity pool occurred at around 4:40 AM UTC on June 21 and resulted in a loss of 229.84 ETH (about $0.5 million at the time). Mudit Gupta, a core developer of SushiSwap, said it was the same type of vulnerability that was exploited in a recent $7.2 million attack on BurgerSwap, another protocol built on the Binance Smart Chain (BSC). Similar to that incident in May, the hacker launched a flash loan attack to drain Impossible Finance’s liquidity pool with the help of a fake token.


A flash loan attack is an exploit wherein a hacker takes an uncollateralized loan from a lending protocol and manipulates the market in their favor via a series of technical tricks. Security firm WatchPlug said that the hacker used a vulnerability in the liquidity pool’s smart contract to perform multiple swaps of IF, Impossible Finance’s native token, to BUSD and then to BNB to repay the flash loan. The unusual thing, however, is that the swaps were made “in a row at about the same price,” which is “usually impossible” because of the slippage.


Other notable victims of flash loan attacks on the Binance Smart Chain include PancakeBunny, which lost as much as $45 million in customer funds, and BeltFinance, which was exploited for $6.2 million. The team behind the Impossible Finance protocol confirmed the news on Telegram and assured that it would compensate all funds deposited into liquidity pools prior to the attack. Currently, all liquidity pool rewards are paused, while users are urged not to add or withdraw funds for IF/BUSD and IF/BNB pairs. The team said it is working with PeckShield, WatchPlug, and “other community whitehats to investigate the situation and will have a detailed event report.” The attack on Impossible Finance happened less than three weeks after the protocol had raised $7 million in a seed round co-led by True Ventures, CMS Holdings, Alameda Research, and Hashed. The project was initially built on the Binance Smart Chain but allegedly plans to expand its functionality to Ethereum and Polygon.