Project name: BiSwap
Project type: DEX
Date of exploit: June 30th, 2023
Asset loss: $865,000
Vulnerability: Lack of Input Validation
Date of audit report publishing:
Conclusion: Out of Audit Scope
Biswap is a DEX project, supporting swap, farm, staking, etc.
Root cause behind the incident is that the BiswapV3 Migrator failed to validate user input parameters, which allows the attacker to 1. migrate the victim user’s BiswapV2 LP to a bad tick and 2. use a fake BiswapV2 pair contract to deceive the migrator and receive BiswapV3 LP of the same tick. He then was able to drain the reserve of the migrator and steal the victim's V3 liquidity through the refund process in the MigratorV3
contract.
On June 30th, 2023, the liquidity migrator contract of Biswap, for migrating liquidity from v2 to v3, was exploited. The vulnerable code is located on the MigratorV3
contract, which is not audited by Certik.