Vulnerability in the early Bscex SwapX Contract of Launchzone


There was a vulnerability in the SwapX contract of BSCex on Lanuachzone in the early days, and hackers stole authorized user funds through this vulnerability to launch Swaps, with an estimated value of $7 million stolen.

According to on-chain data, more than 34,000 addresses have been authorized to this contract in history. Please confirm whether your address has authorized the following contracts and revoke them in time.

Related addresses:

  • 0x26585626e4a8d4fc409146b47a61790d9008967c
    • Deployment time: January 19, 2021
  • 0x8f34c8232d482cb65fea0d05184596001997d352
    • Deployment time: May 5, 2021
  • 0x544fde4e25dd7e0aff084f4975d808ae366b746b
    • Deployment time: July 23, 2021
  • 0x6d8981847eb3cc2234179d0f0e72f6b6b2421a01
    • Deployment time: October 29, 2021

Data details:

Thank you SlowMist for participating in the discussion and review!


Recently, a victim contacted Scam Sniffer, claiming that their BUSD was stolen. After analyzing recent related transactions, the user did not have any abnormal authorized transactions recently.

Through the details of the stolen transaction, we found that the actual contract that initiated the transfer was 0x26585626e4a8d4fc409146b47a61790d9008967c

Through historical authorization information, we located that the user authorized this contract more than 700 days ago, and combined with the next transaction after authorization, we found that this contract belongs to the SwapX contract under BSCex.

Exploitation Details

Through the call stack, we can see that the contract may not check whether the caller is the exchanger.

POC by DeFiHackLabs:

Through this vulnerability, a malicious contract can transfer the victim’s assets and launch malicious Swaps, such as:

  • Wash trading
  • Purchase specified tokens that can be RugPulled

As shown in the figure: The attacker RugPulled and withdrew the victim’s funds from the pool.

Data Analysis

We quickly found Launchzone’s announcement on 02-28, which estimated that the amount stolen was around $320,000.

But by carefully examining the latest transaction associated with the exploited contract, we found that many victims’ assets are still being transferred!

To analyze the specific scale, we used Dune to analyze the transfer data through the exploited address. Roughly estimated, more than $3 million has been stolen.

Since this exploited contract is an upgradable contract, we have also found several different addresses that have deployed and upgraded it. These addresses have been exploited one by one after the 27th.

These at-risk contracts have been authorized by more than 34,000 addresses in total.



Adding up the statistics of these historically exploitable contracts, the funds transferred from these contracts have exceeded about $7 million.

By aggregating the malicious contracts of the attacker, we located some larger profit addresses:

BNB: 2675
WBNB: 3008
USDT: 816481

WBNB: 2633

WBNB: 1335

WBNB: 2423

WBNB: 1055

WBNB: 291

WBNB: 739

BNB: 669

WBNB: 1339

These addresses have profited nearly 16,000 BNB. Some of them should belong to the followers later.

In addition to the previous case of buying garbage tokens under their own control, the largest profit-making malicious contract transferred the funds of many victims through wash trading and purchased DND tokens.


Most of the thefts occurred on the 27th and 28th, and a small amount of thefts occurred later.


This case fully illustrates the necessity of regularly cleaning up authorizations! If the more than 34,000 addresses that have been authorized are not revoked, funds transferred to these addresses in the future may be stolen. Please revoke authorizations in time to avoid unnecessary losses!

Recent Articles

Related Stories