ChainSwap Exploit 11 July 2021 Post-Mortem
On July 11, 2021, the cross-chain bridge project Chainswap was exploited, which resulted in a total loss of 20 assets on the bridge with a combined value of $4 million. ChainSwap team has now prepared and executed a compensation plan in consensus with the affected projects.
The attacked contract code:
The attacker’s address is as follows: https://etherscan.io/address/0xEda5066780dE29D00dfb54581A707ef6F52D8113
After investigating we found a bug in the token cross-chain quota code. The on-chain swap bridge quota is automatically increased by the signature node, which is intended to be more decentralized without manual control. However, due to a logical flaw in code, this led to an exploit by allowing invalid addresses which weren’t whitelisted to automatically increase the amount.
3.Current Progress and Compensation Situation
The bridge is offline. Mapping tokens have been frozen, and we are actively communicating with the affected projects. The compensation plan has been mostly finished. ChainSwap smart contract has previously been sent to two contract audit companies to complete the audit. Before re-opening the bridge, the code will be put under major audits to ensure safety.
In order to bring everybody a more rigorous, efficient bridge, the next development model of ChainSwap will be adjusted to ensure maximum safety.