Last night, crypto projects that had used ChainSwap to launch Ethereum tokens on Binance Smart Chain lost millions to an attacker whose address now holds about $4.4 million.
The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap.
9/ In a series of nine transactions starting at block 12701866 on Ethereum, the attacker sold a total of 1,978,844.84 $WILD for a total of $327,331.98 DAI.
— n3o (@real_n3o) July 11, 2021
The attack was first spotted and analyzed by n30, a developer at Wilder World, an Ethereum-based NFT startup backed by YouTuber Jake Paul. The attacker managed to steal 20,000,000 WILD—Wilder World’s native token.
“Liquidity pulled temporarily, please do not buy $ASAP we are investigating the exploit,” ChainSwap tweeted at 9:30 pm UTC yesterday. ASAP, ChainSwap’s native token, is down 24% and currently trades for $0.22.
The Chainswap team has frozen the BSC mapping token address to filter out the hackers addresses.
Balances might temporarily show 0 until we are done filtering.
Smart contract is affected, not the wallets that interacted with Chainswap. Funds from individual wallets are safe
— ChainSwap ($ASAP) (@chain_swap) July 11, 2021
Other exploited tokens include Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank, and Unifarm.
ChainSwap has frozen its bridge between Ethereum and Binance Smart Chain, and said that all ASAP holders will be compensated.
Please do not buy the currently traded $ASAP
A compensation plan will be put into action for affected tokens
— ChainSwap ($ASAP) (@chain_swap) July 10, 2021
In April, ChainSwap raised $3 million in a funding round led by Alameda Research and the OKEx OK Block Dream Fund.
This is the second attack ChainSwap has suffered this month. On July 2, the platform incurred $800,000 in damages after an attacker exploited another vulnerability in its code.
ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million.
“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.