Some analysts have provided possible ways the exchange was exploited and pinned potential initial losses at over $600,000.
Decentralized exchange LeetSwap, which operates on Coinbase’s Base network has announced a pause on trading, citing concerns of a potential exploit.
LeetSwap tweeted on Aug. 1 that it noticed some of its liquidity pools may have been compromised and temporarily stopped trading to investigate. In a subsequent update, the exchange said it is working with on-chain security experts to try to recover locked liquidity.
As our DEX is forked from Solidly, our factory had a security pause function.— LeetSwap (@LeetSwap) August 1, 2023
We noticed that some pool liquidity might have been compromised and we temporarily stopped the trading to investigate.
While the exchange did not share many details, a number of blockchain sleuths have since provided some commentary about how the exploit is likely to have taken place.
Algorithmic market maker Wintermute’s research head Igor Igamberdiev believes the attacker used an exposed smart contract function, allowing them to increase the price of a token which would then allow them to drain wrapped Ether (ETH) from LeetSwap's liquidity pools.
It was easy:— Igor Igamberdiev (@FrankResearcher) August 1, 2023
- swap a bit of WETH for X tokens (should have fees)
- call _transferFeesSupportingTaxTokens(address, uint256) to move token to a Fees contract
- call sync()
- swap X tokens for all WETH from the pool
Don't think that this function should be public
GG WP pic.twitter.com/a7vXvWf0HY
Igamberdiev added the potential exploit has seemingly netted the attacker 342.5 ETH worth over $630,000.
In an update by LeetSwap roughly an hour and a half after it notified of the trading halt, it said it's working with security experts to find a way to recover liquidity locked on the platform.
We are working with on-chain security experts to try and find a way to recover the locked liquidity.— LeetSwap (@LeetSwap) August 1, 2023
If you did not lock your liquidity you are free to remove it from the pools.
Allegations flew that the project was an exit scam which the project developer denied.