Decentralized Finance Protocol WDZD Swap Exploited for $1.1M: CertiK
Decentralized finance (DeFi) protocol WDZD Swap was exploited on May 19 for $1.1 million worth of Binance-Pegged Ether, according to a May 21 report from blockchain security firm CertiK. Binance-Pegged Ether represents Ether (ETH) that has been bridged to BNB Smart Chain (BSC).
According to the report, an attacker conducted nine malicious transactions that drained 609 Binance-Pegged ETH, worth $1.1 million at the time of the attack, from a contract associated with the WDZD project.
WDZD claims to be a DeFi project that runs on BSC. It is promoted by the Twitter account @DZDDAO, which has over 86,000 followers. The Telegram channel linked to this account also has 28,000 members. Cointelegraph could not verify how the protocol is supposed to work, and CertiK stated it is “not 100% on all the mechanics of the project.” However, the user interface for the app implies that it can be used to farm a token called “WDZD” in exchange for staking ETH.
In a May 24 conversation with Cointelegraph, a representative from CertiK reported that WDZD may have also been sold to users for Binance-Pegged ETH as part of an initial DEX offering (IDO). CertiK shared an image of what appears to be a WDZD advertisement for an IDO.
The BSC address at the bottom of the advertisement is 0xb75ac203c6fcba8d06659cd9c25a343598c6b627. Blockchain data shows that hundreds of transfers of ETH were made into this account. The account also transferred 460 ETH to another address, where it was then used in an “Add Liquidity” function call. This call is often used to deposit an asset to a liquidity pool in exchange for LP tokens.
Blockchain data shows that the deposited 460 ETH ended up in the “Swap LP” contract at BSC address 0xe0c352c56af65772ac7c9ab45b858cb43d22f28f.
On May 19, a known exploiter labeled “Fake_Phishing750” created the contract that later drained the tokens from the protocol. Fake_Phishing750 was responsible for an attack on another protocol called “Swap X,” CertiK stated.
Once the malicious contract was created, the attacker used it to perform nine transactions that drained $1.1 million of ETH from the Swap LP contract where the ETH had been deposited.
The Swap LP contract is unverified by BSCScan, which means that human-readable code for it is unavailable, making it difficult to determine exactly how the attacker drained the funds. However, CertiK claimed that the attacker could transfer WDZD tokens to the protocol’s factory address through an unverified function call. This WDZD was then swapped for LP tokens, which, in turn, were redeemed for the underlying ETH.