SolidityScan
HACK ANALYSIS 2 min read

LeetSwap Hack Analysis

LeetSwap Hack Analysis

On August 1, 2023, LeetSwap on the Base platform experienced an attack due to an Access Control vulnerability resulting in a substantial loss of over 340 ETH.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

  • The attacker exploited the public _transferFeesSupportingTaxTokens function to manipulate the pool’s behaviour.
  • The attack involved a series of steps:
  1. Swapping $WETH for a different token A within the pool.
  2. Using the _transferFeesSupportingTaxTokens function to transfer token A and then immediately invoking the sync function, causing the price of token A to increase.
  3. Swapping token A back for $WETH and draining the pool, likely resulting in a significant profit for the attacker.
  • This attack was not isolated, as the attacker targeted multiple pools in a similar manner.
Fig: The root cause of the vulnerability

Mitigation and Best Practices:

  • Introduce an access control mechanism that restricts the ability to perform certain operations only to authorized addresses or roles within the project. This ensures that only trusted entities can initiate the process.
  • Ensure that the function visibilities are properly set according to the business logic.
  • Apply function modifiers to validate the caller’s permissions before executing critical operations. It is encouraged to utilize libraries from OpenZeppelin to ensure the usage of the “onlyOwner” modifier for the functions meant to be called only by the owner of the contract.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan.
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

DAppSocial Hack Analysis
Banana Token Hack Analysis