Umbrella Network

The hacker attacked Umbrella Network's reward pools, causing $700,000 to be siphoned from both BNB Chain and Ethereum.



On March 20, 2022, Umbrella Network revealed that the LP tokens staked in their Polar Stream staking contracts on Ethereum and BNB
Chain had been drained from both contracts. According to reports, the hacker then used the stolen LP tokens to withdraw liquidity
from both the UMB-ETH Uniswap and the UMB-BNB Pancakeswap pools.

The hack is possible because of an unchecked underflow in withdraw() so that anyone can withdraw any amount even without any
balance.

The hackers attacked Chainswap’s contracts and stole a little over 3 million $UMB tokens on ETH from the Chainswap vault, which
was the entirety of the UMB tokens available there. The hackers also managed to mint an additional 20 million in UMB tokens on the
BSC side but did not manage to sell them before all UMB tokens there were frozen.

The transactions the hackers have made:
https://docs.google.com/spreadsheets/d/1KxLpMvhypikrcNph7NAimeFdyPbRK1rrw-6yAcREqa4/edit?usp=sharing