On 28 April 2021, an attacker exploited a critical vulnerability in Uranium Finance — a decentralised exchange (DEX) and automated market maker (AMM) protocol built on Binance Smart Chain (BSC) — and stole approximately $50 million worth of cryptocurrency. The exploit targeted Uranium Finance’s v2 smart contracts during the protocol’s migration from its v1 to v2 infrastructure. The root cause was an arithmetic error in the contract code: a single digit change from 1000 to 10000 in a divisor allowed the attacker to manipulate the internal reserve accounting, enabling extraction of far more tokens than should have been possible. The attacker used approximately $1 million in initial capital to drain pools containing BUSD, BNB, ETH, DOT, ADA, and URANIUM tokens. The stolen funds were quickly moved through multiple wallets and bridges including Tornado Cash. Uranium Finance was conducting its migration as a direct response to an earlier smaller exploit on 7 April 2021 (Uranium v1 was exploited for approximately $1.3 million). The second, far larger v2 exploit that occurred during the migration attempt has been described as one of the largest DeFi exploits of 2021. Uranium Finance attempted to negotiate with the attacker and posted a message on-chain requesting return of funds. The protocol shut down following the exploit. In April 2026, the US Department of Justice announced charges against individuals linked to the Uranium Finance exploit — marking one of the first criminal prosecutions specifically related to a BSC DeFi protocol theft, nearly five years after the original incident.