Overview
There was a vulnerability in the SwapX contract of BSCex on Lanuachzone in the early days, and hackers stole authorized user funds through this vulnerability to launch Swaps, with an estimated value of $7 million stolen.
According to on-chain data, more than 34,000 addresses have been authorized to this contract in history. Please confirm whether your address has authorized the following contracts and revoke them in time.
Related addresses:
- 0x26585626e4a8d4fc409146b47a61790d9008967c
- Deployment time: January 19, 2021
- 0x8f34c8232d482cb65fea0d05184596001997d352
- Deployment time: May 5, 2021
- 0x544fde4e25dd7e0aff084f4975d808ae366b746b
- Deployment time: July 23, 2021
- 0x6d8981847eb3cc2234179d0f0e72f6b6b2421a01
- Deployment time: October 29, 2021
Data details: https://dune.com/scamsniffer/bscex-exploit-stolen
Thank you SlowMist for participating in the discussion and review!
Background
Recently, a victim contacted Scam Sniffer, claiming that their BUSD was stolen. After analyzing recent related transactions, the user did not have any abnormal authorized transactions recently.

Through the details of the stolen transaction, we found that the actual contract that initiated the transfer was 0x26585626e4a8d4fc409146b47a61790d9008967c

Through historical authorization information, we located that the user authorized this contract more than 700 days ago, and combined with the next transaction after authorization, we found that this contract belongs to the SwapX contract under BSCex.

Exploitation Details

Through the call stack, we can see that the contract may not check whether the caller is the exchanger.

POC by DeFiHackLabs: https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/LaunchZone_exp.sol#L112
Through this vulnerability, a malicious contract can transfer the victim’s assets and launch malicious Swaps, such as:
- Wash trading
- Purchase specified tokens that can be RugPulled

As shown in the figure: The attacker RugPulled and withdrew the victim’s funds from the pool.
Data Analysis

We quickly found Launchzone’s announcement on 02-28, which estimated that the amount stolen was around $320,000.

But by carefully examining the latest transaction associated with the exploited contract, we found that many victims’ assets are still being transferred!

To analyze the specific scale, we used Dune to analyze the transfer data through the exploited address. Roughly estimated, more than $3 million has been stolen.
Since this exploited contract is an upgradable contract, we have also found several different addresses that have deployed and upgraded it. These addresses have been exploited one by one after the 27th.
These at-risk contracts have been authorized by more than 34,000 addresses in total.
SwapXProxy
0xf6fba8586a9a0ae40df574c9a9f6668134d27603
0x26585626e4a8d4fc409146b47a61790d9008967c
0x8f34c8232d482cb65fea0d05184596001997d352
SwapXProxy
0x0ccee62efec983f3ec4bad3247153009fb483551
0x544fde4e25dd7e0aff084f4975d808ae366b746b
0x6d8981847eb3cc2234179d0f0e72f6b6b2421a01

Adding up the statistics of these historically exploitable contracts, the funds transferred from these contracts have exceeded about $7 million.

By aggregating the malicious contracts of the attacker, we located some larger profit addresses:
0x7f5723783c650a085ed15c675651fab4eb50fbd7
BNB: 2675
WBNB: 3008
USDT: 816481
0xb0bb54aefcfd8594193d942af225b62080b8588f
WBNB: 2633
0x97a259f23b95f8e090a7000fc75633ea8e2209fc
WBNB: 1335
0xbaca2500b0f3009b420a7592bb1485e7ba419d76
WBNB: 2423
0x2c1f05e120710de792061031cfb05847ce53fc56
WBNB: 1055
0xa31674e960dba2ced7afcc431ea176fc080ad36a
WBNB: 291
0xc4bea60f5644b20ebb4576e34d84854f9588a7e2
WBNB: 739
0x1d1a34cebdcff3fb4a40ed45245fd8a1daf8a94a
BNB: 669
0xdead40082286f7e57a56d6e5efe242b9ac83b137
WBNB: 1339

These addresses have profited nearly 16,000 BNB. Some of them should belong to the followers later.
In addition to the previous case of buying garbage tokens under their own control, the largest profit-making malicious contract transferred the funds of many victims through wash trading and purchased DND tokens.

Trends

Most of the thefts occurred on the 27th and 28th, and a small amount of thefts occurred later.
Summary
This case fully illustrates the necessity of regularly cleaning up authorizations! If the more than 34,000 addresses that have been authorized are not revoked, funds transferred to these addresses in the future may be stolen. Please revoke authorizations in time to avoid unnecessary losses!