Project name: BiSwap
Project type: DEX
Date of exploit: June 30th, 2023
Asset loss: $865,000
Vulnerability: Lack of Input Validation
Date of audit report publishing:
- May 24th, 2021: Biswap
- Sep 10th, 2021: Biswap (Audit 4)
- Sep 05th, 2023: Biswap v3 amm (audit)
Conclusion: Out of Audit Scope
Details of the Exploit
Background
Biswap is a DEX project, supporting swap, farm, staking, etc.
Nature of the Vulnerability
Root cause behind the incident is that the BiswapV3 Migrator failed to validate user input parameters, which allows the attacker to 1. migrate the victim user’s BiswapV2 LP to a bad tick and 2. use a fake BiswapV2 pair contract to deceive the migrator and receive BiswapV3 LP of the same tick. He then was able to drain the reserve of the migrator and steal the victim's V3 liquidity through the refund process in the MigratorV3 contract.
CertiK Audit Overview
Conclusion
On June 30th, 2023, the liquidity migrator contract of Biswap, for migrating liquidity from v2 to v3, was exploited. The vulnerable code is located on the MigratorV3 contract, which is not audited by Certik.