- LeetSwap has been exploited, resulting in a loss of $624,300, confirmed CertiK alert.
- Exploiter manipulated the price through vulnerable LP contract functions, causing the attack, as per security firms.
- Wintermute’s Igor Igamberdiev explained the exploit’s details, calling for function privacy.
Operation on Coinbase’s base network, decentralized exchange LeetSwap has reportedly been exploited, claiming a loss of about 342.5 ETH, or roughly $626K+. According to crypto sleuth CertiK Alert, the attacker manipulated the price by invoking a vulnerable function on the Liquidity Provider (LP) contract, transferring tokens to a fee address, and then effortlessly purchasing all the WETH tokens.
Wintermute’s head of research, Igor Igamberdiev, explained how the exploiter managed to manipulate the price effortlessly in detail. First, they conducted a small swap of WETH for X tokens, ensuring that fees were incurred during the transaction. Next, they made use of an exposed smart contact function to move the acquired tokens to a fee contract.
To maintain control, the exploiter then called the sync() function, synchronizing the LP contract. Finally, they exchanged the acquired tokens for the entire available supply of WETH from the pool.
In his tweet, Igamberdiev notes that the function (_transferFeesSupportingTaxTokens) should not have been made public in the first place. Additionally, blockchain security firms, including PeckShield, Beosin Alert, and BlockSec, seconded Igamberdiev’s theory about the attack.
LeetSwap was the first to post a tweet acknowledging a potential compromise in some of its liquidity pools. As a precautionary measure, they temporarily halted trading to conduct a thorough investigation into the matter.
In a later update, the exchange informed its users that they are collaborating with on-chain security experts in an attempt to regain access to the locked liquidity. The situation remains under close scrutiny as the exchange endeavors to resolve the issue and safeguard its users’ assets.
Approximately one hour and a half after LeetSwap notified users of the trading halt while announcing it is actively collaborating with security experts to explore possible solutions for recovering the locked liquidity on their platform.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.