Dec 13, 2022 Frank Stewskid

ElasticSwap lost over $225,000 in a flash loan exploit

Earlier today, ElasticSwap, a DEX on the Avalanche blockchain, got exploited in a flash loan attack. As announced by security research company Peckshield, the attacker managed to get away with around $227,400 worth of USDC and TIC – ElasticSwap’s native governance token.

According to Peckshield, around the same time, the same attacker tried to exploit Ampleforth with a similar attack but was front-runed by an MEV bot.

Following the attack, ElasticSwap’s team confirmed the exploit on Discord and Twitter and urged its users to remove any remaining liquidity from the protocol. 

While some users on the hacked exchange’s Discord server were asking questions about refunding unrealized profits from the forced withdrawal of liquidity, others managed to locate one address in which the ElasticSwap exploiter is still holding the stolen assets at the time of this writing. The wallet is already marked as ElasticSwap Exploiter 3 on Snowtrace. 

According to BlockSec, a blockchain security firm, the ElasticSwap exploit was actually a price manipulation attack with a root cause – “the mix/misuse of two accounting systems”.

BlockSec states that ElasticSwap uses two accounting systems – for adding liquidity the smart contract uses the internal accounting system, however for removing liquidity it uses a token-balance-based accounting system, reducing the internal accounting reserves. The attacker exploited this mechanic by first adding liquidity, then transferring USDC directly to the smart contract, and after that removing the liquidity, thus imbalancing the internal USDC reserve of the contract, and finally swapping USDC for AMPL for profit.

Although ElasicSwap confirmed the attack and urged its users to remove liquidity from the protocol, there have been no further details on the attack shared by the company. Nevertheless, a few hours after the exploit, the exchange stated it is open to communication with the hacker and promised to provide updates via its official channels.

Author:

Frank Stewskid

Frank Stewskid

Last updated: Dec 13, 2022

Recent news:

Video Tutorials