ChainSwap Exploit Leads to Multi-Million Loss For DeFi Tokens

ChainSwap Exploit Leads to Multi-Million Loss For DeFi Tokens

In brief

  • An attacker exploited a critical vulnerability in ChainSwap’s smart code.
  • The attack caused a loss of several million dollars, including from Jake Paul-backed Wilder Web.
  • ChainSwap suffered another attack last week. The project racked up $800,000 in damages.
  • Last night, crypto projects that had used ChainSwap to launch Ethereum tokens on Binance Smart Chain lost millions to an attacker whose address now holds about $4.4 million.

    The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap.

    9/ In a series of nine transactions starting at block 12701866 on Ethereum, the attacker sold a total of 1,978,844.84 $WILD for a total of $327,331.98 DAI.— n3o (@real_n3o) July 11, 2021

    The attack was first spotted and analyzed by n30, a developer at Wilder World, an Ethereum-based NFT startup backed by YouTuber Jake Paul. The attacker managed to steal 20,000,000 WILD—Wilder World’s native token.

    “Liquidity pulled temporarily, please do not buy $ASAP we are investigating the exploit,” ChainSwap tweeted at 9:30 pm UTC yesterday. ASAP, ChainSwap’s native token, is down 24% and currently trades for $0.22.

    The Chainswap team has frozen the BSC mapping token address to filter out the hackers addresses. Balances might temporarily show 0 until we are done filtering. Smart contract is affected, not the wallets that interacted with Chainswap. Funds from individual wallets are safe— ChainSwap ($ASAP) (@chain_swap) July 11, 2021

    Other exploited tokens include Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank, and Unifarm.

    Some of these projects, such as Antimatter and Optionroom, have said that they will compensate token holders on a 1:1 basis. Others, such as Nord, are still working out a “path forward.”

    ChainSwap has frozen its bridge between Ethereum and Binance Smart Chain, and said that all ASAP holders will be compensated.

    All holders and LPs pre-hack have been snapshotted. We will airdrop 1:1 new $ASAP tokens pre-hack, this includes $ASAP holders on exchanges. Liquidity will be re-added.Please do not buy the currently traded $ASAPA compensation plan will be put into action for affected tokens— ChainSwap ($ASAP) (@chain_swap) July 10, 2021

    In April, ChainSwap raised $3 million in a funding round led by Alameda Research and the OKEx OK Block Dream Fund.

    Too soon

    This is the second attack ChainSwap has suffered this month. On July 2, the platform incurred $800,000 in damages after an attacker exploited another vulnerability in its code.

    ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million.

    “Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.