Cryptocurrency platform WDZD Swap has been hacked, blockchain security firm CertiK reported. CertiK claims that hackers stole $1.1 million in this attack. BscScan detected the attack as a known hacker known as ‘Fake_Phishing750’.
CertiK: This cryptocurrency platform has been hacked, there is damage!
Blockchain security firm CertiK reports that decentralized finance (DeFi) protocol WDZD Swap has been hacked. The security firm noted that the hacker stole $1.1 million worth of Binance Pegged Ether. Binance Pegged Ether stands for Ether bridged with BNB Smart Chain (BSC). According to the report, a hacker withdrew 609 Binance Pegged ETH, worth $1.1 million at the time of the attack, from a contract associated with the WDZD project.
WDZD states that it is a DeFi project running on BNB Chain. The project is promoted by the Twitter account @DZDDAO, which has more than 86,000 followers. The Telegram channel linked to this account also has 28,000 members. Meanwhile, experts have yet to confirm how the protocol should work. CertiK stated that they were “not 100% on the whole mechanics of the project.” However, the app’s UI hints that it can be used to create a token called “WDZD” in exchange for staking ETH.
A CertiK representative said that WDZD may have been sold to users for Binance Pegged ETH as part of an initial DEX offering (IDO). In this context, CertiK shared an image that looks like a WDZD advertisement for an IDO.
How did the hacking happen? Here are the details…
BSC address at the bottom of the ad: 0xb75ac203c6fcba8d06659cd9c25a343598c6b627. Blockchain data shows that hundreds of ETH transfers were made to this account. The account also transferred 460 ETH to another address. He then used it in an “Add Liquidity” function call. This call is often used to deposit an asset in a liquidity pool in exchange for LP tokens. Furthermore, Blockchain data shows that the 460 ETH deposited ended in the “Swap LP” contract at BSC 0xe0c352c56af65772ac7c9ab45b858cb43d22f28f.
The hacker with the tag “Fake_Phishing750” created the contract on May 19 that dumped the tokens in the protocol. CertiK stated that Fake_Phishing750 was responsible for the attack on another protocol called “Swap X”. After creating his malicious contract, the hacker used ETH to execute nine transactions, withdrawing $1.1 million in ETH from the Swap LP contract he deposited.
BscScan confirmed the Swap LP contract. This means that human readable code does not exist. So, this makes it difficult to determine exactly how the attacker drained the funds. However, CertiK claims that the attacker transferred WDZD tokens to the protocol’s factory address via an unverified function call. The attacker later exchanged this WDZD for LP tokens. He then used them for underlying ETH.
The report states, “The attacker manipulated a low-level call at the Swap-LP factory address that triggered the 0x33604058 function of the SwapLP Pair. He finished the transaction by transferring all the WDZD tokens in the pair to the factory address. As a result, the attacker obtained more SWAP LPs using less WDZD than the unconfirmed address 0x3c4e06d17e243e2cb2e4568249b6f7213c43c743. He then burned the LPs for profit,” he explains.
As you follow on Kriptokoin.com, CertiK reported in May that its 1st quarter losses from shortfalls decreased in the first quarter. But they also noted that this is likely a “temporary postponement.”