ChainSwap Exploit 11 July 2021 Post-Mortem

On July 11, 2021, the cross-chain bridge project Chainswap was exploited, which resulted in a total loss of 20 assets on the bridge with a combined value of $4 million. ChainSwap team has now prepared and executed a compensation plan in consensus with the affected projects.

1.Attack Description

The attacked contract code:

https://etherscan.io/address/0x06c24002f43e3AF904EeEc581734EA3A7DbF355E#code

The attacker’s address is as follows: https://etherscan.io/address/0xEda5066780dE29D00dfb54581A707ef6F52D8113

2.What Happened

After investigating we found a bug in the token cross-chain quota code. The on-chain swap bridge quota is automatically increased by the signature node, which is intended to be more decentralized without manual control. However, due to a logical flaw in code, this led to an exploit by allowing invalid addresses which weren’t whitelisted to automatically increase the amount.

3.Current Progress and Compensation Situation

The bridge is offline. Mapping tokens have been frozen, and we are actively communicating with the affected projects. The compensation plan has been mostly finished. ChainSwap smart contract has previously been sent to two contract audit companies to complete the audit. Before re-opening the bridge, the code will be put under major audits to ensure safety.

4.Future Plans

In order to bring everybody a more rigorous, efficient bridge, the next development model of ChainSwap will be adjusted to ensure maximum safety.

The hub for smart chains