Decentralized finance (DeFi) protocol WDZD Swap was exploited on May 19 for $1.1 million worth of Binance Pegged Ether, according to a May 21 report from blockchain security firm CertiK. Binance Pegged Ether represents Ether (ETH) that has been bridged to BNB Smart Chain (BSC).
According to the report, an attacker conducted nine malicious transactions that drained 609 Binance Pegged ETH, worth $1.1 million at the time of the attack, from a contract associated with the WDZD project.
WDZD claims to be a DeFi project that runs on BNB Smart Chain. It is promoted by the Twitter account @DZDDAO, which has over 86,000 followers. The Telegram channel linked to this account also has 28,000 members. Cointelegraph could not verify how the protocol is supposed to work, and CertiK stated they “are not 100% on all the mechanics of the project.” However, the user interface for the app implies that it can be used to farm a token called “WDZD” in exchange for staking ETH.
WDZD Swap interface. Source: WDZDSwap
In a May 24 conversation with Cointelegraph, a representative from CertiK reported that WDZD may have also been sold to users for Binance Pegged ETH as part of an initial DEX offering (IDO). CertiK shared an image of what appears to be a WDZD advertisement for an IDO.
WDZD advertisement. Source: CertiK
The BNB Smart Chain (BSC) address at the bottom of the advertisement is 0xb75ac203c6fcba8d06659cd9c25a343598c6b627. Blockchain data shows that hundreds of transfers of ETH were made into this account. The account also transferred 460 ETH to another address, where it was then used in an “Add Liquidity” function-call. This call is often used to deposit an asset to a liquidity pool in exchange for LP tokens.
Blockchain data shows that the deposited 460 ETH ended up in the “Swap LP” contract at BSC address 0xe0c352c56af65772ac7c9ab45b858cb43d22f28f.
On May 19, a known exploiter labeled “Fake_Phishing750” created the contract that later drained the tokens from the protocol. Fake_Phishing750 was responsible for an attack on another protocol called “Swap X,” CertiK stated.
Once the attacker created their malicious contract, they used it to perform nine transactions that drained $1.1 million of ETH from the Swap LP contract where the ETH had been deposited.
The Swap LP contract is unverified by BscScan, which means that human-readable code for it is unavailable, making it difficult to determine exactly how the attacker drained the funds. However, CertiK claimed that the attacker could transfer WDZD tokens to the protocol’s factory address through an unverified function-call. This WDZD was then swapped for LP tokens, which, in turn, were redeemed for the underlying ETH.
“The attacker manipulated a low-level call in the Swap-LP factory address which triggered the 0x33604058 function of the SwapLP Pair,” the report stated. “This resulted in the transfer of all WDZD tokens in the pair to the factory address. Consequently, the attacker was able to acquire a larger number of SWAP LPs from the unverified address 0x3c4e06d17e243e2cb2e4568249b6f7213c43c743, using fewer WDZD and subsequently burning the LPs for profit.”
Related: Project takes off with $31.6M in alleged exit scam
Cointelegraph attempted to contact the WDZD Swap team through their Telegram channel. However, the channel produced a “sending messages is not allowed in this group” error message, indicating that it may have been set to only allow admin posts.
Hacks, scams and rug pulls have plagued the crypto community in 2023. On April 24, the Ordinals Finance protocol allegedly performed a rug pull, draining over $1 million in assets from the protocol’s contracts. On May 2, another $1 million was lost when an attacker exploited a bug in a Level Finance contract.
CertiK reported in May that Q1 losses from exploits declined in the first quarter, but they also stated that this was probably a “temporary reprieve.”