MixedSwapRouter Token Transfer Vulnerability
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
MixedSwapRouter is a smart contract on the Arbitrum blockchain which was created on May 14th, 2024. On May 31st, 2024, the smart contract was exploited due to a token transfer vulnerability and 293K $WINR worth between $11k and $16k was lost. There was no information found on the ownership of this smart contract. All available data is presently from the blockchain itself.[1][2][3][4][5][6][7][8][9][10]
About Arbitrum
"Arbitrum is a suite of Ethereum scaling solutions that make it easy to build and use decentralized applications." "Arbitrum is a technology suite designed to scale Ethereum. You can use Arbitrum chains to do all things you do on Ethereum — use Web3 apps, deploy smart contracts, etc., but your transactions will be cheaper and faster. Our flagship product — Arbitrum Rollup — is an Optimistic rollup protocol that inherits Ethereum-level security."
"Ethereum is awesome; on its own, however, it’s also very limited. The Ethereum blockchain only allows about 20-40 transactions per second (TPS) (that’s in total, for all Ethereum users); when the limit is reached, users are forced to compete against each other for their transactions to be included, which causes fees to go up."
"Arbitrum Rollup chain runs as a sort of sub-module within Ethereum. Unlike regular, layer 1 ( “L1”) Ethereum transactions, we don’t require Ethereum nodes to process every Arbitrum transaction; rather, Ethereum adopts an “innocent until proven guilty" attitude to Arbitrum. Layer 1 initially “optimistically assumes” activity on Arbitrum is following the proper rules. If a violation occurs (i.e., somebody claims “now I have all of your money”), this claim can be disputed back on L1; fraud will be proven, the invalid claim disregarded, and the malicious party will be financially penalized.
This ability to adjudicate and prove fraud on L1 is Arbitrum’s key, fundamental feature, and is how and why the system inherits Ethereum’s security."
About MixedSwapRouter
MixedSwapRouter is a smart contract on the Arbitrum blockchain which was created on May 14th, 2024. There was no information found on the ownership of this smart contract.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| May 13th, 2024 8:50:10 PM MDT | MixedSwapRouter Created | The MixedSwapRouter smart contract is first created. |
| May 31st, 2024 2:31:43 AM MDT | Malicious Transaction | A malicious transaction occurs on the Arbitrum blockchain. This appears to be the creation of a malicious smart contract. |
| May 31st, 2024 3:09:00 AM MDT | SlowMist Security Tweet | SlowMist makes a tweet about "potential suspicious activity". |
| May 31st, 2024 3:30:00 AM MDT | CyversAlert Tweet | CyversAlert shares a tweet including the funding source being ChangeNOW and calling the exploit a suspicious transaction. |
| May 31st, 2024 4:10:00 AM MDT | ChainAegis Tweet Shared | ChainAegis posts a tweet which ultimately includes a link to review the transaction link. |
Technical Details
"Attacker has funded by @ChangeNOW_io! Attacker got around $16K."
"There is a token transfer vulnerability in the target contract, and the tokens approved for the target contract can be transferred away."
Total Amount Lost
"293,000 WINR, valued at around $16,000." "Attacker got around $16K." "~293K $WINR, worth ~$11K."
The total amount lost has been estimated at $16,000 USD.
Immediate Reactions
"According to monitoring by the SlowMist security team, the MixedSwapRouter on Arbitrum was attacked, resulting in a loss of approximately 293,000 WINR, valued at around $16,000."
"The #MixedSwapRouter contract on #Arbitrum was attacked, lost ~293K $WINR, worth ~$11K."
"Our system has detected a suspicious transactions with MixedSwapRouter on #ARB !"
"Attacker has funded by @ChangeNOW_io! Attacker got around $16K."
"Please revoke your approvals for 0x58637AAAC44e2A2F190D9e1976E236d86D691542 ASAP!"
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Jun 12, 2024)
- ↑ @SlowMist_Team Twitter (Jun 17, 2024)
- ↑ Arbitrum One Address 0xe3e9...6e0869 | Blockchain Explorer | OKLink (Jun 17, 2024)
- ↑ @CyversAlerts Twitter (Jun 17, 2024)
- ↑ @ChainAegis Twitter (Jun 17, 2024)
- ↑ Arbitrum — The Future of Ethereum (Jun 17, 2024)
- ↑ @arbitrum Twitter (Jun 17, 2024)
- ↑ Arbitrum One Transaction Hash 0xe096...b7e79c | Blockchain Explorer | OKLink (Jun 17, 2024)
- ↑ Get started with Arbitrum | Arbitrum Docs (Jun 17, 2024)
- ↑ A gentle introduction to Arbitrum | Arbitrum Docs (Jun 17, 2024)