TL;DR#

On August 1, 2023, LeetSwap was exploited on the Base chain, which resulted in a loss of funds worth approximately $624,000.

Introduction to LeetSwap#

LeetSwap is an emerging DEX and DeFi ecosystem built with a focus on retaining a secure, fast, and user-friendly experience.

Vulnerability Assessment#

The root cause of the exploit is due to the price manipulation caused by a vulnerable function that was incorrectly assigned a visibility specifier.

Steps#

Step 1:

We attempt to analyze the attack transaction executed by the exploiter.

Step 2:

The LeetSwapV2Pair contract had a vulnerable `_transferFeesSupportingTaxTokens` function, which was mistakenly assigned a `public` visibility specifier. Therefore, anyone could invoke a call to this function in order to transfer tokens from the contract to the fee-collection address.

function _transferFeesSupportingTaxTokens(address token, uint256 amount) public returns (uint256) {
  if (amount == 0) {
    return 0;
  }

  uint256 balanceBefore = IERC20(token).balanceOf(fees);
  _safeTransfer(token, fees, amount);
  uint256 balanceAfter = IERC20(token).balanceOf(fees);

  return balanceAfter - balanceBefore;
}

Step 3:

The attacker initially initiated a normal small-swap operation to acquire the necessary tokens for the next swap. They then invoked a call to this vulnerable function, thereby transferring all of the tokens from one of the pairs to the address collecting fees, which manipulated the price of the underlying token.

Step 4:

The exploiter then called the `sync` function to balance the `axlUSD/WETH` pool and performed a reverse swap to take more ETH than expected.

Step 5:

The attack was repeated on multiple pools, and the exploiter was able to drain funds worth 340 ETH, totaling approximately $624,000, from them.

Aftermath#

The team acknowledged the occurrence of the incident and stated that they temporarily stopped trading to investigate the compromised liquidity. This was possible due to the presence of the pause functionality of the smart contracts. They also stated that they were working with on-chain security experts to try and find a way to recover the locked liquidity.

The team also worked to recover ETH from all the pools that were not drained by the attacker. They shared a Tweet for the attacker with hopes of entering into an agreement allowing them to retain 50 ETH and return the rest of the exploited funds back to the LeetSwap deployer.

Apparently, the team had their website down due to a DDoS attack on their servers, despite them being proxied and cached behind Claudflare. Approximately 220 ETH worth of stuck funds in the DEX liquidity pools have been recovered.

Solution#

Given the unfortunate events that transpired with LeetSwap, it's essential to underscore the importance of not just prevention but also mitigation when it comes to decentralized finance and smart contract development.

The root of the exploit within LeetSwap's smart contract emanated from a seemingly minor oversight—incorrectly assigning a `public` visibility specifier. This kind of vulnerability underscores the criticality of meticulous smart contract design. While it's imperative for developers to ensure the appropriate visibility specifier for every function, these measures are only part of a holistic security approach.

Access control mechanisms are crucial. By using modifiers or implementing role-based access control, developers can significantly restrict unauthorized access to sensitive functions. Furthermore, it's beneficial to adopt an event-driven architecture, notifying external contracts or users of state changes rather than leaving potentially vulnerable data or functions exposed.

However, even with the most rigorous precautions in place, there's always a risk of unforeseen vulnerabilities. This is where Neptune Mutual would have proven invaluable for the LeetSwap team and its users.

Had LeetSwap established a dedicated cover pool with Neptune Mutual, the repercussions of this exploit could have been notably minimized. Neptune Mutual stands as a bastion for users against the often catastrophic consequences of smart contract vulnerabilities. We offer coverage to those who have unfortunately lost funds or digital assets due to such breaches. Our innovative approach, characterized by parametric policies, ensures a smooth and immediate payout system. With our coverage policies, users don't need to go through the cumbersome process of proving their losses. Once an incident is confirmed and resolved via Neptune Mutual's thorough incident resolution framework, affected users can claim their payouts instantaneously.

Moreover, Neptune Mutual's extensive marketplace presence, spanning across major blockchain networks such as Ethereum, Arbitrum, and the BNB chain, ensures a wide-reaching safety net for DeFi users. This accessibility not only provides protection against potential threats but also fosters strengthened trust in the decentralized finance ecosystem.

Reference Source SlowMist