ChainSwap Exploit Post-Mortem
Updated, 14th July 2021
ChainSwap, a cross-chain asset bridge & application hub for smart chains, was exploited at around 08:00 PM UTC on 10th July. ChainSwap allows projects to bridge between blockchains seamlessly; many projects using these services were affected by the exploit, including Razor Network. To eliminate all fear, uncertainty, and doubt, we have penned down what happened during the exploit, developments since, and plan ahead.
ChainSwap exploit details
At around 08:00 PM UTC on 10th July, an attacker was able to attack ChainSwap contracts and steal tokens of various projects, including Razor.
The attacker was able to steal 2.8M $RAZOR tokens, which were the total tokens locked in the ChainSwap vault on Ethereum. They managed to sell the tokens on various exchanges. While investigating the issue following details of the transactions made by the attacker were found:
Total $RAZOR stolen: 2,856,246 tokens
Tx1: 44,150 DAI
Ethereum Transaction Hash:
0xe369fee3c0b721feeb41f46a308c1f71b17065bf4144770552190203d20886ae
Tx2: 23,555 DAI
Ethereum Transaction Hash:
0x9c64e568be2e8d071da1905c55df37bd1a2f26df1f445a5a60b6c980a16d4e32
Tx3: 53,480 DAI
Ethereum Transaction Hash:
0x3107390fc197518a9b92db3ff62f7f06b178b0dc0e3e7f69a7416e9f2b56966d
The attacker was able to sell all the stolen tokens before we pulled the liquidity, which resulted in a loss of 121,187 DAI.
Plan Ahead
- After the analysis, we concluded that trading on the Ethereum chain is safe since all the stolen tokens have been sold already.
- Chainswap has frozen $RAZOR tokens on BSC as a precautionary measure. Please note that $RAZOR on BSC cannot be swapped on Pancakeswap or transferred to other wallets.
- We are working closely with the ChainSwap team to figure out a plan to recover $RAZOR from BSC. We appreciate your patience in this regard.
ChainSwap has reimbursed us $48,475 USDC. We have bought-back $RAZOR of entire amount and burnt the purchased token to reduce circulating supply in the interest of our community. Following are the transactions made by Razor Network:
Buy-back Transactions
Tx1:0x5b50a0e5708f61e81eacbeb504207314003666fa4af42b29827220d4b82a1b21
Tx2:0xd9bbabdc99b842380862d994eeac3d2240b3f4cdff08cb3b9d1809b4eaabb21b
Tx3:0xe4265e257b7c6df96133a297e37f06c04a02e9015628c5ef338c6c25a6f13d6f
Burn Transaction
Tx:0x5dc65db4c27300c6bad6d7be0b1b52cc0a1468628cc3fd582bf64510b4d872c7
Please note that this is an isolated incident, and $RAZOR tokens on the mainnet are not affected. We always use audited and secure smart contracts to avoid such issues. This attack happened due to a third-party vulnerability.
Utmost care is being taken in the development of the Razor Network oracle. We will plan to work with reputed security auditing firms to minimize the chance of such incidents.
We will keep our community updated about each development in the case, and it is assured that we will act in good faith.
Razor Network is thankful to the community for its continued support!
