Dec 13, 2022 Frank Stewskid
ElasticSwap lost over $225,000 in a flash loan exploit
Earlier today, ElasticSwap, a DEX on the Avalanche blockchain, got exploited in a flash loan attack. As announced by security research company Peckshield, the attacker managed to get away with around $227,400 worth of USDC and TIC – ElasticSwap’s native governance token.
It seems @ElasticSwap on #AVAX is exploited (w/ ~187.4k $USDC & 40k $TIC) https://t.co/xEnLzBu9ES
— PeckShield Inc. (@peckshield) December 13, 2022
Seems like the exploiter is trying to exploit @AmpleforthOrg on Ethereum while it is front-runed by 0xbead...2967 (w/ ~445 $ETH) https://t.co/YGMaRQj6Lk pic.twitter.com/SPximaZe2q
According to Peckshield, around the same time, the same attacker tried to exploit Ampleforth with a similar attack but was front-runed by an MEV bot.
Following the attack, ElasticSwap’s team confirmed the exploit on Discord and Twitter and urged its users to remove any remaining liquidity from the protocol.
ElasticSwap has been compromised and we are working to understand more. Please remove any remaining liquidity ASAP.
— ElasticSwap (@ElasticSwap) December 13, 2022
While some users on the hacked exchange’s Discord server were asking questions about refunding unrealized profits from the forced withdrawal of liquidity, others managed to locate one address in which the ElasticSwap exploiter is still holding the stolen assets at the time of this writing. The wallet is already marked as ElasticSwap Exploiter 3 on Snowtrace.
According to BlockSec, a blockchain security firm, the ElasticSwap exploit was actually a price manipulation attack with a root cause – “the mix/misuse of two accounting systems”.
1/ The @ElasticSwap has just been exploited. It is a price manipulation attack and the root cause is due to the mix/misuse of two accounting systems.
— BlockSec (@BlockSecTeam) December 13, 2022
The attack tx:https://t.co/p9TAt4AHVL
The loss is around 523 Ether. pic.twitter.com/cFhHMty7fa
BlockSec states that ElasticSwap uses two accounting systems – for adding liquidity the smart contract uses the internal accounting system, however for removing liquidity it uses a token-balance-based accounting system, reducing the internal accounting reserves. The attacker exploited this mechanic by first adding liquidity, then transferring USDC directly to the smart contract, and after that removing the liquidity, thus imbalancing the internal USDC reserve of the contract, and finally swapping USDC for AMPL for profit.
Although ElasicSwap confirmed the attack and urged its users to remove liquidity from the protocol, there have been no further details on the attack shared by the company. Nevertheless, a few hours after the exploit, the exchange stated it is open to communication with the hacker and promised to provide updates via its official channels.