ChainSwap post-mortem: what happened and how Lossless could have prevented it
DeFi is an exciting space, always teeming with activity, new developments, opportunities, and challenges. Unfortunately, it’s also attractive to all sorts of shady characters trying to exploit its vulnerabilities to get their hands on some of the assets that are constantly changing hands.
One of the most recent such events was the attack on a cross-chain asset bridge and application smart chain Chainswap. Taking place on July 11, 2021, the hack left devastation in its wake, draining almost $8 million in assets and sending more than a dozen projects into a 99% plunge.
It was also the second hack to hit the platform in as little as nine days. The previous one resulted in losses of nearly $800,000 worth of assets. In both attacks, the hackers exploited a critical vulnerability in the platform’s smart contract and drained assets from users’ wallets.
What exactly happened?
According to the Chainswap team, the latest attack happened because of a bug in the token cross-chain quota code. Specifically, the signature node, intended to be more decentralized without manual control, increases the on-chain swap bridge quota automatically.
However, the code had a logical flaw that led to an exploit by allowing invalid, non-whitelisted addresses to automatically increase the amount and transfer out funds.
The list of protocols affected by the second attack was extensive and included:
- Antimatter (MATTER),
- Blank (BLANK),
- Corra (CORA),
- Dafi (DAFI),
- Nord Finance (NORD),
- Option Room (ROOM),
- Oro (ORO),
- Peri (PERI),
- Razor Network (RAZOR),
- Rocks (ROCKS),
- Umbrella Network (UMB),
- Unifarm (UFARM),
- Unido (UDO),
- Vortex (VTX),
- Wilder Worlds (WILD),
- as well as Chainswap’s own token (ASAP),
on both the Ethereum and Binance Smart Chain (BSC) networks.
That said, the affected projects’ tokens remained available for purchase on other platforms, as the projects weren’t hacked directly.
How did the Chainswap team react?
Upon learning of the latest attack, Chainswap notified the public, listing the affected projects and warning users against buying any tokens for the time being. It had temporarily pulled liquidity, snapshotted all holders and LPs pre-hack, as well as announcing a 1:1 airdrop of new ASAP tokens to replace the compromised ASAP token (including to holders on exchanges), and re-adding of liquidity.
According to the team, all affected ASAP holdings on BSC and HECO would be airdropped on the Ethereum network (the time window to be announced). The aim is to ensure full compensation for holders of non-Ethereum ASAP. The team also announced that it will provide liquidity on Uniswap right before the airdrop and trading on Uniswap begins.
It also froze the BSC mapping token address to filter out the hackers’ addresses, warning the users that they might temporarily see 0 as their balance until they finish filtering and forced burning of the hacked ASAP in the hacker’s wallet. The team asserted that it was its smart contract that was affected, not the wallets that interacted with Chainswap, and that the funds from individual wallets were safe.
To compensate for the affected projects, the team spent 717,220 ASAP tokens, in addition to the stablecoin compensation from the treasury fund. It stated that the distribution would be taking place on a daily basis, starting with the new token issuance date. The team minimized compensation in ASAP tokens to protect the value for original token holders.
Finally, Chainswap listed its future plans after completing the compensation plan, including the continuation of work on Chaiswap V2 and Chainswap Hub. In the meantime, it has set in motion several improvements:
- Halting the Chainswap bridge and coordinating with various auditing firms to carry out a detailed audit,
- Adding increased security measures to its development production line, including improved internal code testing, community bug bounty programs, and third-party auditing by reputed smart contract auditors,
- Working on the new and improved bridge that will be launched with Chainswap V2,
- Extending a lock-up for the foundation and team tokens for two additional years.
After the previous attack, the Chainswap team promptly froze the bridge, switched off all nodes, and implemented a fix within 30 minutes. It contacted the local police authorities, Huobi, and OKEx, with which the attacker interacted to withdraw and deposit funds. The team fully compensated all affected users from the Chainswap treasury.
A bit more on ChainSwap
Chainswap is a cross-chain decentralized finance platform that facilitates moving all sorts of DeFi tokens (including the more obscure ones) listed on its platform between Ethereum, BSC, and Huobi ECO Chain (HECO). The company plans to introduce cross-chain solutions for Bitcoin, Solana, and Polkadot, as it did with Polkastarter in March 2021.
In April 2021, the platform raised $3 million from leading industry names, including NGC Ventures, Alameda Research, OKEx’s Block Dream Fund, and other investors. After the successful funding, its token reached its all-time high of $3.62 (on April 23, 2021), which has since dropped by a staggering 96.7%.
In the past month alone, its price declined by 76.7%, reaching the all-time low on July 10, 2021, when it traded at only $0.002. Chainswap’s current price (as of July 19, 2021) is around $0.12.
How Lossless could’ve saved $8,000,000
Despite these worthwhile attempts at mitigating the damage and preventing future hacks, Chainswap may still be vulnerable to unexpected situations, hidden vulnerabilities, or human errors. And when the hacker manages to exploit these, the platform is left reeling with losses and compensations.
This requires a more innovative approach — the one that would stop these hacks in their tracks and revert them. It’s safe to say that if Chainswap had the Lossless hack protection protocol in place, things would’ve looked a lot more different.
With the Lossless hack protection code inserted into the affected tokens:
- The stolen funds would’ve been frozen and returned to their rightful owners by now. This would’ve been possible thanks to the Lossless wrapped tokens made with the code that the creators embedded into their tokens.
- The situation would immediately come to the attention of our community of white hat hackers and hack-spotting bots working tirelessly 24/7 monitoring on-chain events, unusual token activities, and third-party reports.
- It would’ve saved the affected users roughly $8,800,000 in assets. Just imagine how much money could be saved in the DeFi market that last year alone lost $3.78 billion in 122 attacks.
These are all strong arguments in favor of implementing the Lossless code, but there’s more. The Lossless hack-protection protocol is also very flexible (works with every ERC-20 token) and simple to implement as all participating projects will receive all the tools they need to seamlessly equip their tokens with it. The token creators also face no upfront charges and a fixed percentage fee is paid only when there’s a saved hack.
The hack-spotters also stake their native Lossless (LSS) tokens which are burned if the hack is proven invalid. This unique model is an immensely efficient way to protect protocols’ tokens and assets against hacking, increasing the trust and security for token holders, and playing a critical role in the wider global DeFi adoption.
If you want to join our quest for a better, safer decentralized market or just learn more, then reach us out on our:
