A dark day in DeFi security history: Over 20 projects stolen from the Chainswap cross-chain bridge

This article is an original piece by Chain Catcher, authored by Hu Tao.

In the early hours of today, the cross-chain bridge project Chainswap was once again attacked by hackers. More than 20 project tokens deployed on this bridge's smart contract were stolen, resulting in one of the most significant security incidents in the history of DeFi.

According to information released by several Twitter users, the hacker's address is 0xEda5066780dE29D00dfb54581A707ef6F52D8113. Since early this morning, the hacker has gradually stolen over 20 project tokens from the Chainswap cross-chain bridge contract, involving projects such as Antimatter, Corra, DAOventure, FM Gallery, Fei protocol, Fair Game, Rocks, Peri Finance, Strong, WorkQuest, Dora Factory, Unido, Unifarm, Wilder Worlds, Nord Finance, OptionRoom, Umbrella, Razor, Dafi Finance, Oropocket, KwikSwap, Vortex, Blank, Rai Finance, Sakeswap, and others.

According to Etherscan and Bscscan data, the hacker's address has profited approximately $2.3 million by selling tokens, with several hundred thousand dollars worth of tokens still unsold. According to responses from some project teams, this may be because developers locked some of the stolen assets, preventing the hacker from selling them. Currently, Chainswap has temporarily shut down its cross-chain bridge.

Twitter user @Christoph Michel analyzed this security incident, stating that each token has a proxy contract for cross-chain transfers. When the hacker calls the contract, they must pay 0.005 ETH as a fee in _chargeFee, but this process lacks real identity verification checks, requiring only one signature. The issue may lie in the _decreaseAuthQuota function; if the quota for the signer has been exhausted that day, the function will reset. However, everyone seems to start from the default quota. Thus, the attacker only needs to sign with different addresses each time to bypass this. Then, in the _receive function, the volume parameter is transferred to the to attacker address.

As a result of this incident, several project tokens, including ASAP, DVG, MATTER, NORD, DAFI, UMB, RAZOR, and ROOM, have seen declines of over 40%. Currently, nearly 10 affected project teams have responded on Twitter, with many planning to issue new tokens.

The Chainswap team tweeted that all ASAP token holders and LPs have been snapshot, and new ASAP tokens will be airdropped at a 1:1 ratio, including ASAP holders on exchanges.

The OptionRoom team tweeted that the Chainswap hacker obtained 3.3 million ROOM tokens, but the team noticed the hacker's actions before any tokens were sold and decided to remove liquidity from Uniswap and Pancakeswap to protect token holders and liquidity providers from the hacker's sales into the liquidity pool. The team is currently processing on-chain logs and will airdrop new tokens to ROOM holders in the future.

The Antimatter team tweeted that they have taken a snapshot of all MATTER holders and LPs and will airdrop new MATTER tokens at a 1:1 ratio, including MATTER holders on exchanges.

The Peri Finance team tweeted that due to the vulnerability in Chainswap, they have withdrawn all liquidity from Uniswap and Pancakeswap to prevent the hacker from selling the tokens they obtained and depleting liquidity.

The Dafi Finance team tweeted that due to the attack on the Chainswap cross-chain bridge, the hacker sold 200,000 DAFI tokens, and the team will repurchase DAFI on the open market over the next six months. Meanwhile, the project reminds the community to withdraw liquidity from DEXs like Uniswap as soon as possible.

The Rai Finance team tweeted that it has been confirmed that Chainswap suffered a severe attack, with 700,000 RAI stolen and deposited into the hacker's Huobi account address. "Please bear with the temporary fluctuations in RAI prices on exchanges; we have been in contact with the Chainswap team and are monitoring the situation."

The Unifarm team tweeted that Chainswap is under attack, "They advised us to remove liquidity, and we have done so on Uniswap and Pancake Swap. We ask the community to also remove their liquidity until this issue is resolved." The project also stated that they have locked all UFARM tokens held by the hacker using developer privileges, preventing the hacker from selling these tokens.

The DAOventures team tweeted that due to the attack on Chainswap, the hacker acquired and sold 300,000 DVG worth $40,000, and the project will take a snapshot to compensate affected DVG holders.

Previously, on July 2, Chainswap also suffered a hack, with some user tokens actively withdrawn from wallets interacting with ChainSwap, resulting in an estimated total loss of $800,000. Chainswap stated that they have repurchased a small amount of affected tokens from the market and returned them to the contract wallet, while the remaining portion will be fully compensated by the Chainswap treasury.

Earlier, in April, ChainSwap announced that it had completed a $3 million strategic round of financing, with investments from Alameda Research, OK Block Dream Fund, NGC Ventures, Spark Digital Capital, Continue Capital, and others.

（Feel free to add WeChat "gnu0101" to join the Chain Catcher group chat）