WDZD Swap Suffers A $1.1M Loss After Exploit

Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.

WDZD Swap, a decentralized finance (DeFi) protocol, suffered an exploit on May 19. The exploit led to the loss of $1.1M worth of Binance-pegged ETH, according to the CertiK blockchain security firm.

WDZD Swap faces a $1.1M exploit

The report published on May 21 by CertiK said that an attacker performed nine malicious transactions that led to the loss of 609 Binance-pegged ETH valued at $1.1M at the time the attack happened. The transactions were reported on a contract of WDZD Swap.

WDZD is a DeFi project that runs on BNB Chain. The project is promoted by the “DZDDAO Twitter channel, which has more than 86,000 followers. According to CertiK, there was no certainty about how this project worked. However, the user interface for the app shows that it can be used to farm the WDZD token when a user stakes Ether.

Additionally, it also appears as if the WDZD token might have been sold to users in exchange for Binance-pegged Ether as part of an initial DEX offering (IDO). Blockchain data shows that ETH transfers were made to a BSC address associated with the project.

The account in question also transferred 460 ETH to another wallet address, after which it was used within an “Add Liquidity” function call. The function call is usually used to deposit an asset to a liquidity pool in exchange for LP tokens. According to blockchain data, the deposited 460ETH went to a Swap LP contract at another BSC address.

A known hacker known as “Fake_Phishing750” generated the contract that resulted in draining tokens from the protocol. The attacker was responsible for an attack that happened on another protocol known as “Swap X.” after the malicious contract was created, the hacker used it to conduct nine transactions resulting in a loss of $1.1M ETH from the Swap LP contract.

The attack method used by the hacker remains unclear

The Swap LP contract has not been verified by BSCScan, indicating that the human-readable code is still unavailable. According to CertiK, the attacker managed to transfer WDZD tokens to the factory address of the protocol using an unverified function call. The WDZD was later swapped for LP tokens.

The CertiK report said that the hacker manipulated a low-level function within the Swap-LP factory address that triggered the 0x33604058 function for the SwapLP Pair. The move led to the tokens being transferred to the factory address.

“This resulted in the transfer of all WDZD tokens in the pair to the factory address. Consequently, the attacker was able to acquire a larger number of SWAP LPs from the unverified address 0x3c4e06d17e243e2cb2e4568249b6f7213c43c743, using fewer WDZD and subsequently bring the LPs for profit,” the report said.

The loss comes amid a notable increase in hacks, scams, and rug pulls across the crypto industry this year. On April 24, Ordinals Finance users suffered a rug pull after over $1 million worth of assets was withdrawn from the protocol’s contracts. Earlier this month, an attacker exploited a flaw in a Level Finance contract.

About Ali Raza PRO INVESTOR

Ali is a professional journalist with experience in Web3 journalism and marketing. Ali holds a Master's degree in Finance and enjoys writing about cryptocurrencies and fintech. Ali’s work has been published on a number of leading cryptocurrency publications including Capital.com, CryptoSlate, Securities.io, Invezz.com, Business2Community, BeinCrypto, and more.