SteamSwap (STM) Vulnerable Reserve Balance

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

SteamSwap Logo/Homepage

Steam Swap is a decentralized digital asset trading platform. There smart contract was unfortunately vulnerable to reserve balance price manipulation. This allowed multiple attackers to use flash loans to manipulate the prices and drain funds. The protocol lost ~$106k worth of assets. The team has decided to audit the smart contract and relaunch. No mention of any reimbursements could be located.[1][2][3][4][5][6][7][8][9][10][11][12][13]

About SteamSwap

"Steam Swap is a decentralized digital asset trading platform that focuses on connecting digital asset trading markets around the world and providing users with efficient, secure and transparent trading services. We are committed to building an open, connected blockchain ecosystem that allows users to freely exchange digital assets and realize the flow and value of assets. Steam SWAP makes digital asset trading easier and more convenient! Our vision is to become a leader in the blockchain industry, lead the future development trend, and make STEAM SWAP a shining star in the blockchain world!"

"In order to ensure a smooth launch, we temporarily replaced the high-defense server. Considering the time difference of global members. we decided to adjust the launch time to UTC time June 6, 2024 05:00:00 Thank you"

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"Steam Swap was exploited across two different transactions on the $BNB chain due to the price manipulation of the underlying assets, resulting in a loss of assets worth approximately $105,000."

Key Event Timeline - SteamSwap (STM) Vulnerable Reserve Balance
Date Event Description
June 5th, 2024 9:23:00 AM MDT Launch Announcement The launch time is announced as 5 AM UTC.
June 5th, 2024 8:32:59 PM MDT Smart Contract Creation The SteamSwap smart contract is created on the blockchain.
June 6th, 2024 11:25:57 AM MDT First Attack Transaction One of the attack transactions, as later analyzed by Neptune Mutual, which results in a theft of $92k.
June 6th, 2024 12:54:55 PM MDT Second Attack Transaction A second attack transaction, which is likely a copy cat, takes another $14k.
June 6th, 2024 3:42:00 PM MDT Announcement Path Forward The SteamSwap team announces the vulnerability and that they are preparing to run a smart contract audit on the smart contract, which will take 7-10 business days.
June 6th, 2024 8:32:00 PM MDT SlowMist Tweet Posted The SlowMist team posts a tweet.
June 7th, 2024 7:30:00 AM MDT Neptune Mutual Analysis Neptune Mutual shares a link to their analysis on Twitter.
June 17th, 2024 8:23:00 AM MDT SteamSwap Relaunch Announcement The SteamSwap team announce the relaunch of their smart contract.

Technical Details

"The vulnerable MineSTM contract has a sell function that uses a reserve pair for liquidity calculation. Notably, this exploited contract was deployed roughly 16 hours before the incident took place."

"The exploiter initially took a flash loan of 500,000 BSC-USD and used it to purchase roughly 2,740,041 STM tokens. The exploiter was able to manipulate this reserve balance by swapping a large amount of these tokens, and then ultimately called the above sell function to complete their attack."

Total Amount Lost

"a loss of approximately $105K."

"The excess of the STM tokens were sold for profits worth approximately $91,670 before repaying the borrowed flash loan."

"Another attacker, likely a copycat of the original exploiter, executed yet another attack transaction to profit by roughly $13,892."

The total amount lost has been estimated at $106,000 USD.

Immediate Reactions

"According to monitoring by the SlowMist security team, SteamSwap(STM) on BNBChain was attacked, resulting in a loss of approximately $105K."

"Steam Swap was exploited across two different transactions on the $BNB chain due to the price manipulation of the underlying assets, resulting in a loss of assets worth approximately $105,000."

Ultimate Outcome

"During tonight's node LP minting and mining process, a vulnerability was discovered in the contract. To ensure the system's security and stability, we have decided to conduct a security audit of the contract. The audit report is expected to be completed within 7-10 business days."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Jun 18, 2024)
  2. @SlowMist_Team Twitter (Accessed Jun 18, 2024)
  3. MineSTM | Address 0xb7d0a1adafa3e9e8d8e244c20b6277bee17a09b6 | BscScan (Accessed Jun 18, 2024)
  4. BNB Smart Chain Transaction Hash (Txhash) Details | BscScan (Accessed Jun 18, 2024)
  5. https://www.stmswap.com/ (Accessed Jun 18, 2024)
  6. @SteamSwap_ Twitter (Accessed Jun 18, 2024)
  7. @SteamSwap_ Twitter (Accessed Jun 18, 2024)
  8. @SteamSwap_ Twitter (Accessed Jun 18, 2024)
  9. @neptunemutual Twitter (Accessed Jun 18, 2024)
  10. How Was Steam Swap Exploited? (Accessed Jun 18, 2024)
  11. 0x40f3bdd0a3a8d0476a | Phalcon Explorer (Accessed Jun 18, 2024)
  12. BNB Smart Chain Transaction Hash (Txhash) Details | BscScan (Accessed Jun 18, 2024)
  13. BNB Smart Chain Transaction Hash (Txhash) Details | BscScan (Accessed Jun 18, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=SteamSwap_(STM)_Vulnerable_Reserve_Balance&oldid=6050"