ChainSwap is a bridge protocol that links the Ethereum and Binance Smart Chain (BSC) blockchains.  ChainSwap was the victim of a hack causing losses of millions of dollars on July 10, 2021.  This is the second hack of the protocol within a couple of weeks.

Inside the Attack

The ChainSwap hacker identified and exploited a vulnerability in the ChainSwap smart contract.  This vulnerability enabled them to steal and mint new tokens for various protocols that were using the bridge to trade across Ethereum and BSC.  Affected protocols include Wilder World, Antimatter, Optionroom, Umbrellabank, and several others.

After stealing the tokens, the attacker used the PancakeSwap exchange to convert the stolen tokens to WBNB, DAI, and other tokens.  The theft of this value from the affected contracts caused their value to suddenly suffer major crashes (often over 85%).

Learning from the Attack

The ChainSwap hack demonstrates the importance of considering cross-contract interactions for smart contract security.  Often, smart contract audits focus on the code of a particular project and don’t consider how that contract is related to other projects.  In this case, vulnerabilities in the ChainSwap protocol enabled the attacker to exploit its relationships with other projects to steal tokens from those other projects.

Rob Behnke