- Initial losses are at least $600,000 in wrapped ether
- Attacker used an exposed smart contract feature to hike up a token price
- He then drained wrapped ether from LeetSwap's liquidity pools
LeetSwap, a decentralized exchange (DEX) running on Coinbase’s Base network, announced it has suspended trading over concerns of a hack, Cointelegraph wrote. LeetSwap is the biggest DEX on Base.
Experts have provided hypotheses on how the exploit occurred, estimating initial losses at a minimum of $600,000 in wrapped ether (wETH).
On August 1, LeetSwap tweeted they had noticed some of their liquidity pools might have been compromised and halted operations to investigate. Soon thereafter, the DEX announced it was cooperating with on-chain security experts to attempt to restore locked liquidity.
Exposed smart contract implicated
LeetSwap did not provide many details, but several blockchain investigators had some ideas about how the exploit was likely to have occurred.
Attacker drained wETH from liquidity pools
According to Igor Igamberdiev, head of research at algorithmic market maker Wintermute, the assailant used an exposed smart contract feature, which let him hike up the price of a token. Then, he drained wrapped ether from LeetSwap's liquidity pools.
According to the expert, the attacker gained 342.5 ETH worth over $630,000 from the attack. Wintermute has experience in these kinds of things.
CertiK, PeckShield, and other prominent blockchain security firms confirmed Igamberdiev's hypothesis as well as the lost funds in separate tweets.
LeetSwap announced soon after the trading suspension that it was working with security experts to discover a way to restore the locked liquidity on the platform.
BALD crashed in another Base controversy
Also today, Coinbase’s Base network experienced another setback. The developer of BALD, a Brian Armstrong-themed meme coin, took away the token’s liquidity and caused its price to plummet. The event was met with accusations that the project involved a rug pull, which the developer denied.
July was the worst month for crypto this year in terms of losses from scams and hacks. On July 30, Curve suffered a hack, losing more than $100 million to a re-entrancy bug in Vyper, a programming language behind some Curve ecosystem components.
Contributors
