How a Hacker Burned and Swapped $710K Worth of LP Tokens on BiswapDEX.

By Arhat | Truly Crypto | 2 Jul 2023

Biswap's liquidity pools were exploited by a vulnerability in the "Biswap migration contract" allowing anyone to replace legitimate migration transactions with fake ones.

$710,251 was stolen in this attack, including the value of the LP tokens and the BSW tokens that the attacker minted for free.

 

This is how it happened (Refer to the visual below):   048a4c00e9c7903cd7b31d64c5e72e3119177f864a7e617389e5da6bf6f2f296.png Step 1: The attacker initiates the Biswap Migrator contract's "migration function" using real pairs and fake tokens.

  • This function, designed to migrate user LP assets from one pool to another, doesn't validate token and pair parameters.
  • The attacker leverages this loophole to burn user LP assets and create their own LP pool using fake tokens. As a result, the user assets get stuck in the contract.
  • This happens with several pools, including BSW-BUSD, BSW-BNB, and BSW-USDT. Note: The token0 and token1 mentioned above are specific identifiers for the fake tokens the attacker used.

 Step 2: The attacker then uses real token0 and token1 along with the fake LP created in step one to run the "migration function" again—this time adding the remaining contract assets to their LP, substituting the user LP assets with their fraudulent ones. This clever misdirection funnels the user's funds into the attacker's LP pool.   As for the impacted pools:  

  • BSW-BUSD: The attacker burned $71,000 in LP tokens, created a fake pool using token0 and token1, added $71,000 in contract assets to their fake pool, and then replaced user LP assets with fake ones. They subsequently withdrew a total of $142,000 in $BSW and $BUSD from the fake pool.
  • BSW-BNB: A similar modus operandi, but with $67,000 burned in LP tokens. After creating the fake pool and adding the contract assets, they withdrew $134,000 in BSW and $BNB.
  • BSW-USDT: Again, the attacker burned $66,000 in LP tokens, added the same amount to the fake pool, replaced the user's LP assets, and withdrew $132,000 in BSW and $USDT.

  The attacker transferred some of the stolen funds to other addresses, making it harder to track them.   c761deda34f3e9f4c1b10f2b7672c34585d76d8b4341d39617af448a9b3c7b91.png 

Biswap has stated that they have fixed the vulnerability and ensured the safety of user funds.

This unfortunate instance demonstrates the potential vulnerabilities when parameters are not adequately validated in smart contracts.

 

Thank you for reading through, and follow me here and on Twitter for more regular post updates.

I’d also appreciate it if you shared this with your friends, who would enjoy reading this.

You can find my other research & investment thesis here: https://bit.ly/3CjMvoA

If you find this analysis useful, please consider donating to 0xd95d4b14dcfa941bf916255b3624c0bfb22166c8.

Thank you.

 

Crypto News DeFi Binance Smart Chain Tether (USDT) BNB

How do you rate this article?

28
Arhat
Arhat Verified Member

Investor at L2 Iterative Ventures. Prev: Founder 3z3 Labs. I write about web3 use cases, hacks, and deep dives.

Truly Crypto
Truly Crypto

On Hacks, Use Cases & Deep dives.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
$1.8 Billion Liquidated. Nothing Actually Broke $1.8 Billion Liquidated. Nothing Actually Broke
CineLonga

CineLonga

19 hours ago
1 minute read

Same price. Different psycholog👀 Same price. Different psycholog👀
Zaynox ⚡

Zaynox ⚡

9 hours ago
1 minute read

It's official, Cardano is dead. It's official, Cardano is dead.
TwoDogsCaged

TwoDogsCaged

8 hours ago
1 minute read