In brief

  • An attacker exploited a critical vulnerability in ChainSwap’s smart code.
  • The attack caused a loss of several million dollars, including from Jake Paul-backed Wilder Web.
  • ChainSwap suffered another attack last week. The project racked up $800,000 in damages.

Last night, crypto projects that had used ChainSwap to launch Ethereum tokens on Binance Smart Chain lost millions to an attacker whose address now holds about $4.4 million.

The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap.

The attack was first spotted and analyzed by n30, a developer at Wilder World, an Ethereum-based NFT startup backed by YouTuber Jake Paul. The attacker managed to steal 20,000,000 WILD—Wilder World’s native token.

“Liquidity pulled temporarily, please do not buy $ASAP we are investigating the exploit,” ChainSwap tweeted at 9:30 pm UTC yesterday. ASAP, ChainSwap’s native token, is down 24% and currently trades for $0.22.

Other exploited tokens include Antimatter, Optionroom, Umbrellabank, Nord, Razor, Peri, Unido, Oro, Vortex, Blank, and Unifarm.

Some of these projects, such as Antimatter and Optionroom, have said that they will compensate token holders on a 1:1 basis. Others, such as Nord, are still working out a “path forward.”

ChainSwap has frozen its bridge between Ethereum and Binance Smart Chain, and said that all ASAP holders will be compensated.

In April, ChainSwap raised $3 million in a funding round led by Alameda Research and the OKEx OK Block Dream Fund.

Too soon

This is the second attack ChainSwap has suffered this month. On July 2, the platform incurred $800,000 in damages after an attacker exploited another vulnerability in its code.

ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million.

“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.