On September 15, 2021, the NowSwap DEX was the victim of a hack.  The attacker exploited a vulnerability in the protocol’s code that enabled them to extract $1 million in tokens from the project.

Inside the Attack

The details of the NowSwap hack are very familiar. They mirror the Uranium Finance hack that occurred in April 2021.

The Uranium Finance and NowSwap hacks were made possible by an error when updating the smart contract’s code.  The original code of the contract contained a value, K, of 1,000 in three different places.  The update to the code changed this value in two places but not the third.

This third location was a check of the value of K, but it only checked for a value 1/10 of the actual value.  This enabled the attacker to swap 1 wei for 98% of the value stored in the contract.

Lessons Learned From the Hack

The NowSwap contract code is not open-source, which makes it more difficult for bugs to be detected and reported by security researchers.  However, an attacker determined that the code contained the same error as Uranium Finance and exploited this in their attack.

This incident demonstrates the importance of open-sourcing code, staying aware of past security incidents in the DeFi space, and undergoing a complete security audit before launching any smart contract code to the blockchain.  Taking any of these three steps might have enabled the vulnerability to be detected and fixed before an attacker exploited the project for $1 million in tokens.

Explained: The NowSwap Protocol Hack (September 2021)
Rob Behnke