In May 2023, the BSC-based Swap-LP project was the victim of an attack. By manipulating a smart contract vulnerability, the attacker was able to steal 609 ETH — worth about $1 million — from the project.
Inside the Attack
The Swap-LP attacker took advantage of a low-level function in the Swap-LP factory address. By triggering this function, the attacker was able to execute a function at address 0x33604058 within the SwapLP pair. This function caused all WDZD currently deposited within the pair to be transferred to the project’s factory address.
In many DeFi smart contracts, the value of a token in a trading pair depends on the relative quantities of each of the tokens in the pair that the contract holds. Removing the WDZD token from the pair resulted in it being valued much more highly.
As a result, the attacker was able to trade WDZD tokens for SWAP LP tokens at a highly favorable exchange rate. When the attacker burned these SWAP LP tokens, they were able to make a net profit of approximately $1 million.
Lessons Learned From the Attack
The Swap-LP hack demonstrated the challenges of access control in smart contracts. By calling an accessible low-level function, the attacker was able to execute a function that had significant impacts on the perceived price of the project’s LP tokens.
An analysis of these contract logic flows is an essential part of a smart contract security audit. Get in touch with Halborn to find out more about our security auditing services.