There was a vulnerability in the SwapX contract of BSCex on Lanuachzone in the early days, and hackers stole authorized user funds through this vulnerability to launch Swaps, with an estimated value of $7 million stolen.
According to on-chain data, more than 34,000 addresses have been authorized to this contract in history. Please confirm whether your address has authorized the following contracts and revoke them in time.
- Deployment time: January 19, 2021
- Deployment time: May 5, 2021
- Deployment time: July 23, 2021
- Deployment time: October 29, 2021
Data details: https://dune.com/scamsniffer/bscex-exploit-stolen
Thank you SlowMist for participating in the discussion and review!
Recently, a victim contacted Scam Sniffer, claiming that their BUSD was stolen. After analyzing recent related transactions, the user did not have any abnormal authorized transactions recently.
Through the details of the stolen transaction, we found that the actual contract that initiated the transfer was
Through historical authorization information, we located that the user authorized this contract more than 700 days ago, and combined with the next transaction after authorization, we found that this contract belongs to the SwapX contract under BSCex.
Through the call stack, we can see that the contract may not check whether the caller is the exchanger.
Through this vulnerability, a malicious contract can transfer the victim’s assets and launch malicious Swaps, such as:
- Wash trading
- Purchase specified tokens that can be RugPulled
As shown in the figure: The attacker RugPulled and withdrew the victim’s funds from the pool.
We quickly found Launchzone’s announcement on 02-28, which estimated that the amount stolen was around $320,000.
But by carefully examining the latest transaction associated with the exploited contract, we found that many victims’ assets are still being transferred!
To analyze the specific scale, we used Dune to analyze the transfer data through the exploited address. Roughly estimated, more than $3 million has been stolen.
Since this exploited contract is an upgradable contract, we have also found several different addresses that have deployed and upgraded it. These addresses have been exploited one by one after the 27th.
These at-risk contracts have been authorized by more than 34,000 addresses in total.
SwapXProxy 0xf6fba8586a9a0ae40df574c9a9f6668134d27603 0x26585626e4a8d4fc409146b47a61790d9008967c 0x8f34c8232d482cb65fea0d05184596001997d352 SwapXProxy 0x0ccee62efec983f3ec4bad3247153009fb483551 0x544fde4e25dd7e0aff084f4975d808ae366b746b 0x6d8981847eb3cc2234179d0f0e72f6b6b2421a01
Adding up the statistics of these historically exploitable contracts, the funds transferred from these contracts have exceeded about $7 million.
By aggregating the malicious contracts of the attacker, we located some larger profit addresses:
0x7f5723783c650a085ed15c675651fab4eb50fbd7 BNB: 2675 WBNB: 3008 USDT: 816481 0xb0bb54aefcfd8594193d942af225b62080b8588f WBNB: 2633 0x97a259f23b95f8e090a7000fc75633ea8e2209fc WBNB: 1335 0xbaca2500b0f3009b420a7592bb1485e7ba419d76 WBNB: 2423 0x2c1f05e120710de792061031cfb05847ce53fc56 WBNB: 1055 0xa31674e960dba2ced7afcc431ea176fc080ad36a WBNB: 291 0xc4bea60f5644b20ebb4576e34d84854f9588a7e2 WBNB: 739 0x1d1a34cebdcff3fb4a40ed45245fd8a1daf8a94a BNB: 669 0xdead40082286f7e57a56d6e5efe242b9ac83b137 WBNB: 1339
These addresses have profited nearly 16,000 BNB. Some of them should belong to the followers later.
In addition to the previous case of buying garbage tokens under their own control, the largest profit-making malicious contract transferred the funds of many victims through wash trading and purchased DND tokens.
Most of the thefts occurred on the 27th and 28th, and a small amount of thefts occurred later.
This case fully illustrates the necessity of regularly cleaning up authorizations! If the more than 34,000 addresses that have been authorized are not revoked, funds transferred to these addresses in the future may be stolen. Please revoke authorizations in time to avoid unnecessary losses!