Back to all stories
Blogs
Incident Analysis
Post Mortem: BiSwap
1/7/2024
Post Mortem: BiSwap

Project name: BiSwap

Project type: DEX

Date of exploit: June 30th, 2023

Asset loss: $865,000

Vulnerability: Lack of Input Validation

Date of audit report publishing:

  • May 24th, 2021: Biswap
  • Sep 10th, 2021: Biswap (Audit 4)
  • Sep 05th, 2023: Biswap v3 amm (audit)

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Biswap is a DEX project, supporting swap, farm, staking, etc.

Nature of the Vulnerability

Root cause behind the incident is that the BiswapV3 Migrator failed to validate user input parameters, which allows the attacker to 1. migrate the victim user’s BiswapV2 LP to a bad tick and 2. use a fake BiswapV2 pair contract to deceive the migrator and receive BiswapV3 LP of the same tick. He then was able to drain the reserve of the migrator and steal the victim's V3 liquidity through the refund process in the MigratorV3 contract.

CertiK Audit Overview

biswap1 biswap2 biswap3 biswap4 biswap5 biswap6 biswap7

Conclusion

On June 30th, 2023, the liquidity migrator contract of Biswap, for migrating liquidity from v2 to v3, was exploited. The vulnerable code is located on the MigratorV3 contract, which is not audited by Certik.