As of 02 February, 2024, Swarm AMM pools on Ethereum were fully restored to their state before the exploit. We would like to remind users that this was not a smart contract breach and internal policies have been put in place to prevent this from happening again.
On January 25, 2024, Swarm Markets platform suffered a security breach that resulted in a vulnerability in the wrapping smart contract on Ethereum, affecting SMT, WETH, USDC and DAI.
Two actors were identified as being involved in the incident.
The first hacker attempted to pull assets from the affected wrapping smart contract (xTokenWrapper).
Several attempts by the hacker were successfully intercepted by a second hacker — white-hat friendly MEV bot — who secured the majority of withdrawal attempts.
The first hacker was left with a total of 472,891.80 SMT, 7826.70 DAI and 3234.50 USDC (approx. $120K in value).
The assets in the white-hat hacker’s wallet have been returned to us. To show our appreciation for the white-hat hacker’s efforts, they will keep 5% of each asset as a bounty. Assets will be returned to users once a full assessment of the attack has been undertaken.
The root cause of the issue goes back to 2022, when Swarm was working with an external vendor to develop a pilot version of the platform. During migration from the pilot platform to a new version, the vendor’s developers laid out a procedure to transfer the administration of all components to the Swarm team while removing any addresses affiliated with the vendor.
The documentation omitted the change of one role that, today, allowed the attacker to remap the xToken contracts within the platform and subsequently draw crypto from the wrapping contracts.
It is unclear at this point, whether this omission was done maliciously or not and whether the exploit was done by a person(s) currently affiliated with the vendor or not. This will be further investigated.
Action was taken by the Swarm team immediately as soon as the hack was discovered to prevent any further damages. We will continue to investigate thoroughly. A full timeline of what happened is available below.
Going forward
The Swarm Markets team has taken the following actions:
- reviewed security procedures and safeguarded current platform on Ethereum and Polygon
- the platform on Polygon, any part of the new platform version or those that dealt with RWA trading, have not been affected by this exploit
- the platform on Ethereum will remain suspended until further thorough investigation is concluded
- we responded to an outreach by the white-hat hacker to establish communications to recover funds
- hacker wallets (0x959E2CC532115d0a86e24EB2977D93Df6202560E, 0x27c317181b3dbf8ca8c3771e47cf7e7fad812512) have been reported to Valega Analytics, Chainanalysis and other friendly CEX’s
- communications with stakeholders and users affected done via email, Telegram and Twitter; communication was provided continuously after discovery
- further investigation into the potential involvement of the vendor will be initiated.
We are impressed and encouraged with the positive and supporting sentiment that our community has responded with during this time.
We’d like to extend a huge thank you to MEV BOT white hats (0xa19E4Fec1624c87fE0DD307103Ffc5923cE89BeF) involved in the recovery of the funds. We are very grateful to you.
Timeline
Some times are estimated.
January 25, 2024
- 05:31:47 AM +UTC — The attacker initiates the attack by transferring the Proxy Admin ownership from to Hacker Address 1 (0x959E2CC532115d0a86e24EB2977D93Df6202560E)
- 05:32:47 AM +UTC — The Proxy Admin was used to change the implementation of the Action Manager to a `Caller` contract; the `Caller` contract consisted of a simple function allowing caller to `registerToken` in the xTokenWrapper, changing the mapping of native tokens to xTokens
- 05:11:11 AM +UTC — ‘Caller’ contract re-mapped native tokens (SMT, WETH, USDC, DAI) to two fake xTokens created by the hacker, which are freely mintable (Fake xToken1)
- 05:15:59 AM +UTC — The hacker address minted fake xTokens (Tx1, Tx2, Tx3, Tx4)
- 05:38:59 AM +UTC — While the hacker starts to use fake xTokens to unwrap native tokens, the friendly white-hat Hacker identifies the irregularities and secures funds into their wallet, starting with 168 WETH
- 06:07:59 AM +UTC — The hacker starts to use fake xTokens to unwrap native tokens to Hacker Address 1, starting with 427k SMT (Tx1, Tx2, Tx3, Tx4, Tx5, Tx6, Tx7) followed by a transfer of 427k SMT from Hacker Address 1 to Address 2 (0x27c317181b3dbf8ca8c3771e47cf7e7fad812512)
- 06:08:47 AM +UTC — At this point the white-hat hacker secures a total of 4,255,905 SMT into their wallet using the minting of 200 xTokens and multicall transactions for unwrapping.
- 06:18:23 AM +UTC — At this point the hacker, redeploys another fake xToken contact (Fake xToken2)
- 06:22:47 AM +UTC — First hacker choses to swap the already pulled 427k SMT into 54 WETH
- 08:03:23 AM +UTC — The hacker then pulls a total of 7,826.7 DAI and 3,234.5 USDC using the fake xTokens from the second contact.
Thank you,
The Swarm Team
