{"id":45907,"date":"2021-07-12T11:12:32","date_gmt":"2021-07-12T08:12:32","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=45907"},"modified":"2025-09-01T13:40:49","modified_gmt":"2025-09-01T10:40:49","slug":"hackers-drain-more-than-4m-from-defi-projects-due-to-chainswap-vulnerability","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/hackers-drain-more-than-4m-from-defi-projects-due-to-chainswap-vulnerability\/","title":{"rendered":"Hackers drain more than $4m from DeFi projects due to ChainSwap vulnerability"},"content":{"rendered":"<p>Hackers exploited a critical vulnerability in the ChainSwap cross-chain bridge&#8217;s smart contract and drained more than $4m from <span data-descr=\"decentralized finance\" class=\"old_tooltip\">DeFi<\/span>-projects. To mitigate the fallout, developers will release a new version of their own token ASAP.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Liquidity pulled temporarily, please do not buy <a href=\"https:\/\/twitter.com\/search?q=%24ASAP&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ASAP<\/a> we are investigating the exploit<\/p>\n<p>\u2014 ChainSwap ($ASAP) (@chain_swap) <a href=\"https:\/\/twitter.com\/chain_swap\/status\/1413973753097293825?ref_src=twsrc%5Etfw\">July 10, 2021<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The ChainSwap protocol serves as a bridge between various blockchains, including Binance Smart Chain (BSC), Ethereum, Polygon and Huobi Eco Chain.<\/p>\n<p>On July 10, the Wilder World NFT marketplace team noticed a glitch on the PancakeSwap platform. The attacker withdrew from the Wilder Pancake Liquidity Pool on BSC and the ChainSwap bridge contract on the Ethereum blockchain more than $534 000.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">\ud83d\udea8Important Update: ChainSwap Hack \ud83d\udea8<\/p>\n<p>\ud83d\ude4f\ud83c\udffb It&#8217;s our priority to keep our community updated in real time as we continue to investigation the ChainSwap Hack \ud83d\ude4f\ud83c\udffb<\/p>\n<p>\ud83d\udef8 In the meantime you can join our ZERO network to keep up to date \u2014 <a href=\"https:\/\/t.co\/NFjEuQLnlk\">https:\/\/t.co\/NFjEuQLnlk<\/a> \ud83d\udef8<a href=\"https:\/\/t.co\/f2XWGVKzw5\">https:\/\/t.co\/f2XWGVKzw5<\/a><\/p>\n<p>\u2014 Wilder World (@WilderWorld) <a href=\"https:\/\/twitter.com\/WilderWorld\/status\/1414146083920367622?ref_src=twsrc%5Etfw\">July 11, 2021<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Developers noted that they responded promptly to the issue and prevented further outflows. According to them, the attack exploited a critical vulnerability in the ChainSwap smart contract that allowed the attackers to mint about 20 million <span data-descr=\"Wilder World native token\" class=\"old_tooltip\">WILD<\/span> tokens directly to their address on the BSC network, rather than into the main contract on the Ethereum blockchain.<\/p>\n<p>Wilder World stressed that their project was \u201cone of a dozen\u201d affected. According to user Krisma, the attack affected Antimatter, Razor, Unifarm and others. Tokens worth more than $4.3m are held by the hackers at their addresses, according to <a href=\"https:\/\/etherscan.io\/address\/0xEda5066780dE29D00dfb54581A707ef6F52D8113\">Etherscan<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Chainswap got exploited<\/p>\n<p>Projects which got harmed:<br \/>Wilder Worlds <a href=\"https:\/\/twitter.com\/search?q=%24WILD&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$WILD<\/a><br \/>Antimatter <a href=\"https:\/\/twitter.com\/search?q=%24MATTER&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$MATTER<\/a><br \/>Optionroom <a href=\"https:\/\/twitter.com\/search?q=%24ROOM&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ROOM<\/a><br \/>Umbrella Blank <a href=\"https:\/\/twitter.com\/search?q=%24UMB&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$UMB<\/a><br \/>Nord <a href=\"https:\/\/twitter.com\/search?q=%24NORD&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$NORD<\/a><br \/>Razor <a href=\"https:\/\/twitter.com\/search?q=%24RAZOR&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$RAZOR<\/a><br \/>Peri <a href=\"https:\/\/twitter.com\/search?q=%24PERI&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$PERI<\/a><br \/>Unido <a href=\"https:\/\/twitter.com\/search?q=%24VTX&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$VTX<\/a><br \/>Oro <a href=\"https:\/\/twitter.com\/search?q=%24ORO&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ORO<\/a><br \/>Vortex <a href=\"https:\/\/twitter.com\/search?q=%24VTX&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$VTX<\/a><br \/>Blank <a href=\"https:\/\/twitter.com\/search?q=%24BLANK&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$BLANK<\/a><br \/>Unifarm <a href=\"https:\/\/twitter.com\/search?q=%24UFARM&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$UFARM<\/a><br \/>and more<\/p>\n<p>DO NOT BUY ANY TOKENS NOW<\/p>\n<p>Hacker&#8217;s wallet: <a href=\"https:\/\/t.co\/sPNcuPI31H\">pic.twitter.com\/sPNcuPI31H<\/a><\/p>\n<p>\u2014 Krisma (@KRMA_0) <a href=\"https:\/\/twitter.com\/KRMA_0\/status\/1413978628174516224?ref_src=twsrc%5Etfw\">July 10, 2021<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The OptionRoom project also said it was affected by the hack. Unknown actors withdrew 2.3 million <span data-descr=\"OptionRoom's own token\" class=\"old_tooltip\">ROOM<\/span> on the Ethereum blockchain and 10 million ROOM on the BSC network. As with Wilder World, the attackers swapped tokens through decentralised exchanges such as Uniswap. The developers withdrew liquidity from the respective pools to hinder this.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">2) Multiple projects have been affected by this hack, including OptionRoom. The hacker was able to acquire 2.3M <a href=\"https:\/\/twitter.com\/search?q=%24ROOM&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ROOM<\/a> tokens on the Ethereum chain, and 10M <a href=\"https:\/\/twitter.com\/search?q=%24ROOM&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ROOM<\/a> tokens on the <a href=\"https:\/\/twitter.com\/hashtag\/BSC?src=hash&#038;ref_src=twsrc%5Etfw\">#BSC<\/a> chain.<\/p>\n<p>\u2014 OptionRoom (@option_room) <a href=\"https:\/\/twitter.com\/option_room\/status\/1414006378415509505?ref_src=twsrc%5Etfw\">July 10, 2021<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to CoinGecko, on July 10 the ROOM token price fell by more than 92%. The same drop was seen for WILD and ASAP, though they later recovered to near pre-crash levels.<\/p>\n<p>OptionRoom, like several other projects affected by the attack, will compensate affected users at a 1:1 ratio. The ChainSwap team has taken a similar stance. Network participants were asked not to trade ASAP \u2014 developers recorded balances as of the pre-hack state and announced an airdrop of a new token version. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">All holders and LPs pre-hack have been snapshotted. We will airdrop 1:1 new <a href=\"https:\/\/twitter.com\/search?q=%24ASAP&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ASAP<\/a> tokens pre-hack, this includes <a href=\"https:\/\/twitter.com\/search?q=%24ASAP&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ASAP<\/a> holders on exchanges. Liquidity will be re-added.<\/p>\n<p>Please do not buy the currently traded <a href=\"https:\/\/twitter.com\/search?q=%24ASAP&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$ASAP<\/a><\/p>\n<p>A compensation plan will be put into action for affected tokens<\/p>\n<p>\u2014 ChainSwap ($ASAP) (@chain_swap) <a href=\"https:\/\/twitter.com\/chain_swap\/status\/1413985428336693251?ref_src=twsrc%5Etfw\">July 10, 2021<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>For July 2021 this marks the second attack on the protocol. Earlier in the month, unknown actors exploited a vulnerability in ChainSwap&#8217;s code and withdrew $800,000 in various DeFi tokens from the platform.<\/p>\n<p>The project team contacted law enforcement and cooperated with the Bitcoin exchange OKEx to mitigate at least some of the losses. The developers agreed to return Corra and Rai tokens.<\/p>\n<p>Previously ChainSwap raised $3m from Alameda Research, the OKEx-backed venture fund OK Block Dream Fund and other investors.<\/p>\n<p>In June <a href=\"https:\/\/u1f987.com\/en\/news\/safe-dollar-defi-protocol-token-devalues-after-hack\">the DeFi protocol SafeDollar on the Polygon blockchain was hacked<\/a>, and its stablecoin devalued. Hackers exploited a vulnerability that allowed unlimited token issuance.<\/p>\n<p>Subscribe to ForkLog News on <a href=\"https:\/\/vk.com\/forklogcom\" target=\"_blank\" rel=\"nofollow noopener\">VK<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers exploited a critical vulnerability in the ChainSwap cross-chain bridge&#8217;s smart contract and drained more than $4m from DeFi projects. To mitigate the fallout, developers will release a new version of their own token ASAP.<\/p>\n","protected":false},"author":1,"featured_media":45909,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1154,1093],"class_list":["post-45907","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-crimes","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"37","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/45907","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=45907"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/45907\/revisions"}],"predecessor-version":[{"id":45910,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/45907\/revisions\/45910"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/45909"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=45907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=45907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=45907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}