According to ElasticSwap’s website, ElasticSwap is an Automated Market Maker (AMM) focused on elastic supply tokens. An AMM is a protocol that allows digital assets to be traded in a decentralized way. AMMs have introduced a number of other innovations such as liquidity pools.
ElasticSwap was exploited three times by multiple flash loan attacks that led to approximately $850,000 in stolen funds. The attacker exploited a vulnerability in the ElasticSwap exchange contract, allowing the attacker to manipulate all ElasticSwap pools on the Avalanche blockchain and drain their liquidity.
On 12 December, 2022, at 07:33 AM +UTC the ElasticSwap team announced to the community via Twitter (@ElasticSwap) that an exploit had occurred and that they were hoping to recover funds. Image: Exploit announcement from ElasticSwap team. Source: Twitter
The ElasticSwap team posted an additional message on their Discord disclosing that they have a bounty program and were willing to negotiate the return of funds. Image: Discord announcement highlighting their bounty program. Source: Discord
Two days later, a majority of the funds were recovered. According to the ElasticSwap team, an EVM bot was successful at front running the attacker on Ethereum. The owner of the bot and the owner of the relayer bot have refunded the majority of stolen funds in accordance with the ElasticSwap bounty program. At the time of writing, the ElasticSwap Ethereum treasury multisig wallet is in possession of slightly over 487 ETH, valued at $625,000.
On 15 December, 2022, at 08:24 AM +UTC the team posted a link asking the community to vote on how they would like the recovered assets managed while they work through proposals to refund those affected by this attack. Image: ElasticSwap funds management poll. Source: Discord.
On 22 January, 2023, the ElasticSwap team posted in the Discord announcement channel two links to JSON files that contain aggregate losses for USD Coin (USDC) and AMPL. The losses are sorted by address across all chains for the community to review. At the time of writing the ElasticSwap team claims to have recovered approximately 55% of user funds. Image: ElasticSwap user loss announcement. Source: Discord.
On 1 February , 2023, an additional message was sent to the team's announcement Discord channel to update the JSON file regarding the amount of TIC that was lost on ETH. Image: ElasticSwap user loss update announcement. Source: Discord.
Attacker: 0x3bdF0…
Attacker contract: 0xa274…
New contract used to check LP status: 0xffeF4…
Victim contract: 0x4ae1D…
Attack one transaction: 0x782b2…
Attack two transaction: 0x23bc3…
Attack three transaction: 0xa6cf0…
The primary vulnerability in this exploit is that the calculation of quoteTokenQtyToReturn is based on the current quote token balance, which was easy to manipulate by transferring the token to the contract directly. Image: Contract Vulnerability. Source: Internal.
While a significant amount of assets were taken from users, the ElasticSwap team was able to recover most of their funds through their bounty program. At the time of writing, 50.89% of users have voted to convert the funds proportionally.
Smart contract auditing can recognize and neutralize incidents before malicious actors can exploit and steal funds. Protect yourself and your assets by following @CertiKAlert on Twitter to stay up to date on all the latest Web3 security news, and visiting certik.com to check out the Security Leaderboard and learn more about auditing.