The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap.
— n3o (@real_n3o) July 11, 2021
The attack was first spotted and analyzed by n30, a developer at Wilder World, an Ethereum-based NFT startup backed by YouTuber Jake Paul. The attacker managed to steal 20,000,000 WILD—Wilder World’s native token.
“Liquidity pulled temporarily, please do not buy $ASAP we are investigating the exploit,” ChainSwap tweeted at 9:30 pm UTC yesterday. ASAP, ChainSwap’s native token, is down 24% and currently trades for $0.22.
The Chainswap team has frozen the BSC mapping token address to filter out the hackers addresses.
Balances might temporarily show 0 until we are done filtering.
Smart contract is affected, not the wallets that interacted with Chainswap. Funds from individual wallets are safe
— ChainSwap ($ASAP) (@chain_swap) July 11, 2021
Other exploited tokens include Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank, and Unifarm.
Please do not buy the currently traded $ASAP
A compensation plan will be put into action for affected tokens
— ChainSwap ($ASAP) (@chain_swap) July 10, 2021
This is the second attack ChainSwap has suffered this month. On July 2, the platform incurred $800,000 in damages after an attacker exploited another vulnerability in its code.
ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million.
“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.