ShibaSwap Treasure Finder Convert() EOA Restriction Bypass

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 15:43, 27 August 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/shibaswaptreasurefinderconverteoarestrictionbypass.php}} {{Unattributed Sources}} thumb|ShibaSwap Logo/HomepageA vulnerability in the ShibaSwap: Treasure Finder smart contract led to an exploit resulting in an estimated $27,000 loss. The issue stemmed from the convert() function lacking slippage protection during LEASH-to-WETH swaps, making it vulnerable to sandwi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

ShibaSwap Logo/Homepage

A vulnerability in the ShibaSwap: Treasure Finder smart contract led to an exploit resulting in an estimated $27,000 loss. The issue stemmed from the convert() function lacking slippage protection during LEASH-to-WETH swaps, making it vulnerable to sandwich attacks. Additionally, the onlyEOA() modifier, meant to restrict access to externally owned accounts, was bypassed using EIP-7702-compliant accounts, which mimic EOAs. The attacker used this to manipulate token prices and drain funds. No official acknowledgment, recovery, or follow-up appears to have been made by ShibaSwap’s team. The incident appears to have ended with a retained loss.[1][2][3][4][5][6][7]

About ShibaSwap

The ShibaSwap platform offers a comprehensive suite of decentralized finance (DeFi) tools, including token swaps, liquidity pools, and bridging services. Users can interact with a wide range of tokens such as SHIB, LEASH, BONE, and TREAT, as well as stablecoins like USDT, USDC, and DAI. The interface also provides access to support, FAQs, a testnet faucet, and developer resources, making it accessible for both new and experienced users. Token prices and their daily performance are prominently displayed, showing market trends across the ShibaSwap ecosystem.

The liquidity pools on ShibaSwap are diverse and active, with over 1,100 pools listed. Popular pairs include SHIB-WETH, LEASH-WETH, and BONE-WETH across both V1 and V2 pool versions. Each listing shows key metrics such as total liquidity, trading volume, and number of swaps, offering transparency into pool activity. Users can also create new liquidity positions or add liquidity to existing pools directly from the interface, facilitating participation in earning fees and supporting token liquidity.

In addition to swap and liquidity functions, ShibaSwap highlights trending and recently created tokens, allowing users to discover new opportunities. Ecosystem statistics reveal a strong presence, with $13 million in total value locked and nearly $1 million in daily trading volume. The broader Shiba Inu ecosystem is integrated through features like Shibarium, the Shib Metaverse, Shib Names, and more, signaling a push toward a more expansive decentralized infrastructure.

The Reality

The ShibaSwap: Treasure Finder smart contract contained two key vulnerabilities: the convert() function lacks slippage protection when swapping LEASH tokens for WETH, making it susceptible to price manipulation; and the onlyEOA() modifier, intended to restrict access to externally owned accounts, can be bypassed using EIP-7702-compliant accounts that behave like EOAs.

What Happened

A vulnerability in ShibaSwap's Treasure Finder contract—lacking slippage protection and using a bypassable onlyEOA() check—was exploited via sandwich attacks, resulting in a $27,000 loss.

Key Event Timeline - ShibaSwap Treasure Finder Convert() EOA Restriction Bypass
Date Event Description
August 22nd, 2025 1:24:23 AM MDT First Attack Transaction The first attack transaction was mined on the Ethereum blockchain.
August 24th, 2025 8:28:47 AM MDT Second Attack Transaction The second attack transaction is mined by the Ethereum blockchain. This transaction was reportedly made by a MEV bot.
August 24th, 2025 8:29:00 AM MDT Post About Second Transactions A Twitter/X bot called EighenPhi_Alert posts about this transaction as a MEV bot making $2.3k with a ROI of 108,654% using 4 tokens.
August 24th, 2025 12:49:47 PM MDT Third Attack Transaction The third attack transaction is mined by the Ethereum blockchain.
August 24th, 2025 8:30:00 PM MDT TenArmor Tweet Posted TenArmor posted a security alert warning of multiple sandwich attacks on the ShibaSwap: Treasure Finder contract, resulting in an estimated $27K loss. The vulnerability was attributed to the convert() function lacking slippage protection when swapping LEASH for WETH, allowing attackers to manipulate prices and gain extra LEASH tokens. Additionally, attackers bypassed the onlyEOA() check using an EIP-7702 account, which mimics externally owned accounts.

Technical Details

The vulnerability in the ShibaSwap: Treasure Finder contract centers around the convert() function, which handles token swaps—specifically, converting LEASH tokens to WETH. This function lacks slippage protection, a mechanism meant to limit the price impact of a trade. Without slippage limits, attackers can exploit the function via sandwich attacks: by front-running the swap with their own transactions to manipulate the token price, they can cause the convert() function to execute at an unfavorable rate, and then profit by reversing the price movement afterward. This leads to the attacker ending up with more LEASH tokens than they should, effectively draining value from the protocol.

Compounding this vulnerability, the onlyEOA() modifier—intended to restrict function calls to Externally Owned Accounts (EOAs)—was bypassed using an EIP-7702-compliant account. EIP-7702 introduces a new account abstraction model that allows smart contract wallets to appear like EOAs in certain contexts. This means that attackers could use a contract-based wallet that behaves like an EOA, tricking the onlyEOA() check and gaining unauthorized access to functions that should have been restricted.

The attacker used a deceptive account type to pass access controls, then leveraged the lack of slippage safeguards to manipulate token swaps in their favor.

Total Amount Lost

The loss amount was reported as being approximately $27k by TenArmor.

The total amount lost has been estimated at $27,000 USD.

Immediate Reactions

There does not appear to be any notice or details posted on the @ShibainuCoin or @ShibaSwapDEX Twitter/X pages.

Ultimate Outcome

It's believed that there was no recovery or further investigation.

Total Amount Recovered

There are no reports of any funds being recovered.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

The case appears to be concluded with permanent loss.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Ten Armor - "Our system has detected multiple suspicious sandwich attacks involving #ShibaSwap: Treasure Finder @ShibainuCoin @ShibaSwapDEX on #ETH, resulting in an approximately loss of $27K." - Twitter/X (Accessed Aug 26, 2025)
  2. First Attack Transaction - Etherscan (Accessed Aug 26, 2025)
  3. Second Attack Transaction - Etherscan (Accessed Aug 26, 2025)
  4. Third Attack Transaction - Etherscan (Accessed Aug 26, 2025)
  5. EigenPhi - "#MEV made $2,329 with a ROI of 108,654% from #Arbitrage , using 4 tokens ( $ETH , $WETH , $SSLP , $LEASH ):" - Twitter/X (Accessed Aug 26, 2025)
  6. Shibaswap (Accessed Jul 23, 2022)
  7. ShipaSwapDEX Twitter/X (Accessed Aug 26, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=ShibaSwap_Treasure_Finder_Convert()_EOA_Restriction_Bypass&oldid=6911"