QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$27 000 USD
AUGUST 2025
GLOBAL
SHIBASWAP
DESCRIPTION OF EVENTS
The ShibaSwap platform offers a comprehensive suite of decentralized finance (DeFi) tools, including token swaps, liquidity pools, and bridging services. Users can interact with a wide range of tokens such as SHIB, LEASH, BONE, and TREAT, as well as stablecoins like USDT, USDC, and DAI. The interface also provides access to support, FAQs, a testnet faucet, and developer resources, making it accessible for both new and experienced users. Token prices and their daily performance are prominently displayed, showing market trends across the ShibaSwap ecosystem.
The liquidity pools on ShibaSwap are diverse and active, with over 1,100 pools listed. Popular pairs include SHIB-WETH, LEASH-WETH, and BONE-WETH across both V1 and V2 pool versions. Each listing shows key metrics such as total liquidity, trading volume, and number of swaps, offering transparency into pool activity. Users can also create new liquidity positions or add liquidity to existing pools directly from the interface, facilitating participation in earning fees and supporting token liquidity.
In addition to swap and liquidity functions, ShibaSwap highlights trending and recently created tokens, allowing users to discover new opportunities. Ecosystem statistics reveal a strong presence, with $13 million in total value locked and nearly $1 million in daily trading volume. The broader Shiba Inu ecosystem is integrated through features like Shibarium, the Shib Metaverse, Shib Names, and more, signaling a push toward a more expansive decentralized infrastructure.
The ShibaSwap: Treasure Finder smart contract contained two key vulnerabilities: the convert() function lacks slippage protection when swapping LEASH tokens for WETH, making it susceptible to price manipulation; and the onlyEOA() modifier, intended to restrict access to externally owned accounts, can be bypassed using EIP-7702-compliant accounts that behave like EOAs.
The vulnerability in the ShibaSwap: Treasure Finder contract centers around the convert() function, which handles token swaps—specifically, converting LEASH tokens to WETH. This function lacks slippage protection, a mechanism meant to limit the price impact of a trade. Without slippage limits, attackers can exploit the function via sandwich attacks: by front-running the swap with their own transactions to manipulate the token price, they can cause the convert() function to execute at an unfavorable rate, and then profit by reversing the price movement afterward. This leads to the attacker ending up with more LEASH tokens than they should, effectively draining value from the protocol.
Compounding this vulnerability, the onlyEOA() modifier—intended to restrict function calls to Externally Owned Accounts (EOAs)—was bypassed using an EIP-7702-compliant account. EIP-7702 introduces a new account abstraction model that allows smart contract wallets to appear like EOAs in certain contexts. This means that attackers could use a contract-based wallet that behaves like an EOA, tricking the onlyEOA() check and gaining unauthorized access to functions that should have been restricted.
The attacker used a deceptive account type to pass access controls, then leveraged the lack of slippage safeguards to manipulate token swaps in their favor.
The loss amount was reported as being approximately $27k by TenArmor.
There does not appear to be any notice or details posted on the @ShibainuCoin or @ShibaSwapDEX Twitter/X pages.
It's believed that there was no recovery or further investigation.
There are no reports of any funds being recovered.
The case appears to be concluded with permanent loss.
A vulnerability in the ShibaSwap: Treasure Finder smart contract led to an exploit resulting in an estimated $27,000 loss. The issue stemmed from the convert() function lacking slippage protection during LEASH-to-WETH swaps, making it vulnerable to sandwich attacks. Additionally, the onlyEOA() modifier, meant to restrict access to externally owned accounts, was bypassed using EIP-7702-compliant accounts, which mimic EOAs. The attacker used this to manipulate token prices and drain funds. No official acknowledgment, recovery, or follow-up appears to have been made by ShibaSwap’s team. The incident appears to have ended with a retained loss.
Ten Armor - "Our system has detected multiple suspicious sandwich attacks involving #ShibaSwap: Treasure Finder @ShibainuCoin @ShibaSwapDEX on #ETH, resulting in an approximately loss of $27K." - Twitter/X (Aug 26)
First Attack Transaction - Etherscan (Aug 26)
Second Attack Transaction - Etherscan (Aug 26)
Third Attack Transaction - Etherscan (Aug 26)
EigenPhi - "#MEV made $2,329 with a ROI of 108,654% from #Arbitrage , using 4 tokens ( $ETH , $WETH , $SSLP , $LEASH ):" - Twitter/X (Aug 26)
Shibaswap (Jul 23)
ShipaSwapDEX Twitter/X (Aug 26)
