QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
JULY 2021
GLOBAL
KWIKSWAP
DESCRIPTION OF EVENTS
"Kwikswap is a decentralised protocol built on the Ethereum Network. Kwikswap is the first multi-chain DEX on Astar and Reef Chain. Future iterations will also see Kwikswap DEX developed on Acala Network and Polkadot."
"Much like Uniswap, Kwikswap enables developers to build on its API’s and dApp UI and source code which can assist in extending the reach of the protocol."
"Kwikswap allows the creation of token markets, web 3.0 wallet connectivity, no requirement for KYC and features layer 2 scaling. You always control your funds for a completely decentralized experience!"
"The plan is to deploy the Kwikswap DEX on PLASM and ACALA on Polkadot to bring additional features like staking, Voting, Stablecoins, and more. This will make Kwikswap the first cross-chain DEX to be deployed on two-layer 2 solutions on Polkadot."
"Kwikswap capitalizes on the massive potential of decentralized finance to overshadow traditional finance by allowing users to participate and get rewarded for their efforts. This comes with maximum user-experience convenience and perks like eliminating third-party involvement in payments and value transfer."
"As implied by its name, Kwikswap is already on its way to becoming the biggest, most-lucrative, straightforward, practical, fastest, and cheapest decentralized exchange in the world."
"ChainSwap is a bridge protocol that links the Ethereum and Binance Smart Chain (BSC) blockchains." "It supports Binance Smart Chain, Ethereum, Polygon, and Huobi Eco Chain." "The ChainSwap hacker identified and exploited a vulnerability in the ChainSwap smart contract. This vulnerability enabled them to steal and mint new tokens for various protocols that were using the bridge to trade across Ethereum and BSC."
Investigation by ChainSwap revealed "a bug in the token cross-chain quota code. The on-chain swap bridge quota is automatically increased by the signature node, which is intended to be more decentralized without manual control. However, due to a logical flaw in code, this led to an exploit by allowing invalid addresses which weren’t whitelisted to automatically increase the amount."
"IMPORTANT NOTICE: Unfortunately our BEP-20 tokens have been impacted by the Chainswap Hack. We have removed our markets whilst our dev team and the Chainswap team investigate this further. We will update ASAP."
"The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap." "[T]he attacker used the PancakeSwap exchange to convert the stolen tokens to WBNB, DAI, and other tokens."
"All holders and LPs pre-hack have been snapshotted. We will airdrop 1:1 new $ASAP tokens pre-hack, this includes $ASAP holders on exchanges. Liquidity will be re-added." "Please do not buy the currently traded $ASAP." "A compensation plan will be put into action for affected tokens"
"The price of KWIK has suffered recently due to the hack of the ChainSwap DEX where the token was listed. The hacker stole $8 million due to the security breach and crashed the price of all tokens that were traded on that DEX, including $KWIK. It should be noted, that it wasn’t related to KwikSwap at all, just some bad luck."
"Chainswap said it had already repurchased a small amount of the affected tokens from the market and returned the contract wallet. The rest will be paid out in full by the Chainswap vault." "ChainSwap team has now prepared and executed a compensation plan in consensus with the affected projects." "In order to bring everybody a more rigorous, efficient bridge, the next development model of ChainSwap will be adjusted to ensure maximum safety."
"We have concluded our investigation and that the hacker doesn’t have any additional Kwik Token. We will re-instate our KWIK token market within a few hours. There is no reason for a token swap as all hacked KWIK tokens were sold on Uniswap."
"For now, Chainswap has temporarily closed its cross-chain bridge." "ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million."
“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.
"KwikSwap stated that they had removed their markets as the hack had impacted their BEP-20 tokens and that they were working with ChainSwap on investigating the issue. KwikSwap planned to reinstate their token market and concluded that all the hacked KWIK tokens were sold off on Uniswap."
"ChainSwap is excited to announce that we have successfully integrated with Anyswap and Chainswap bridge is now live. We thank our community for its patience during the last few weeks."
"Due to the recent Chainswap exploit, Kwikstarter is shifting from BSC to Polygon. $KWIK BSC token holders must unstake their tokens from Kwikstarter, then send the $KWIK BSC Tokens to our nominated swap address." "All users that completed our BSC -> Polygon bridging form should have received their new Polygon $KWIK tokens."
KwikSwap is a decentralized exchange for swapping between tokens. Their token used ChainSwap to exist on multiple blockchains, which required some funds to be stored in the smart contract hot wallet.
The ChainSwap bridge was hacked, and the attacker was able to obtain the tokens. KwikSwap appears to have been quickly able to freeze the funds and restore the normal level of service, and ultimately ended up migrating off the BSC platform as a result.
HOW COULD THIS HAVE BEEN PREVENTED?
Theoretically, decentralized finance will eventually result in hackers having exploited every vulnerability that exists. However, it's impossible to know when that will occur and if a contract is truly secure, as opposed to there still being an exploit that just hasn't been noticed yet. For any complex smart contract, it's impossible to prove security and plenty of fully audited contracts have been exploited.
In this situation, there was luckily not much taken. Platforms should, generally, be prepared for the full loss of all assets stored in hot wallets (including smart contracts). Assets that do not need to be accessed quickly should be stored securely in a simple offline multi-signature wallet.
Chainswap Black Sunday, over 20 DEFI projects were stolen - 律动BlockBeats (Aug 24)
ChainSwap Exploit 11 July 2021 Post-Mortem | by ChainSwap | Medium (Aug 24)
MappableToken | 0x06c24002f43e3AF904EeEc581734EA3A7DbF355E (Aug 24)
ChainSwap Exploit Leads to Multi-Million Loss For DeFi Tokens - Decrypt (Aug 24)
@chain_swap Twitter (Aug 24)
Explained: The ChainSwap Hack (July 2021) - Halborn (Aug 24)
$8 Million Lost in Major ChainSwap Exploit | Crypto Briefing (Aug 24)
ChainSwap re-launch, we are live. ChainSwap is excited to announce that… | by ChainSwap | Medium (Aug 29)
Rekt - ChainSwap - REKT (Aug 29)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Kwikswap Interface (Sep 17)
Coming Soon: Ethereum-Based Kwikswap DEX to Launch Kwikswap V2 Testnet on Polkadot's ACALA Parachain (Sep 17)
KwikSwap – Decentralised Swap, Liquidity, Market Creation and Staking Protocol (Sep 17)
@kwikswapdex Twitter (Sep 21)
Kwikswap One Of The First Cross Chain Dexes On Kusama (Sep 21)
ChainSwap Hacked, Projects Scramble To Remove Liquidity - Crypto Daily™ (Sep 21)
@kwikswapdex Twitter (Sep 21)
@kwikswapdex Twitter (Sep 21)
Chainswap Post Mortem Deep Dive Into The Exploit (May 7)
Random Numbers Don’t Lie: A Closer Technical Look into Recent DeFi Hacks (May 7)
