Leading DEX on Layer-2 Base, LeetSwap, Exploited
LeetSwap, the largest decentralized exchange (DEX) on the layer-2 Base platform, has temporarily halted trading to investigate reports of a security vulnerability.
LeetSwap Halts Trading Due to Exploit
In an announcement on Twitter, LeetSwap confirmed that all trading activities were paused on the morning of August 01 to investigate a report indicating that several liquidity pools had been exploited.
As our DEX is forked from Solidly, our factory had a security pause function.
— LeetSwap (@LeetSwap) August 1, 2023
We noticed that some pool liquidity might have been compromised and we temporarily stopped the trading to investigate.
Security firm PeckShield provided evidence that a liquidity pool on LeetSwap was exploited, resulting in the withdrawal of 340 ETH, equivalent to approximately $630,000.
#PeckShieldAlert Our community contributor has reported that LP pairs on #Base have been exploited for approximately 340 ETH (~$630K). https://t.co/U1nGmuwSGj pic.twitter.com/1dcXHZdbth
— PeckShieldAlert (@PeckShieldAlert) August 1, 2023
Nature of the Exploit
Igor Igamberdiev, a researcher at Wintermute, explained that the exploit stemmed from a function within the code of LeetSwap's pools, allowing users to withdraw all liquidity from the pool with a few simple steps.
It was easy:
— Igor Igamberdiev (@FrankResearcher) August 1, 2023
- swap a bit of WETH for X tokens (should have fees)
- call _transferFeesSupportingTaxTokens(address, uint256) to move token to a Fees contract
- call sync()
- swap X tokens for all WETH from the pool
Don't think that this function should be public
GG WP pic.twitter.com/a7vXvWf0HY
Background on Base and LeetSwap
LeetSwap is the leading DEX on Base, a layer-2 solution developed by Coinbase, which launched its mainnet in mid-July. The platform also witnessed the rise and subsequent rug pull of the memecoin BALD at the end of July.
Despite being a new platform without a dedicated cross-chain bridge, Base saw substantial inflows of capital, with over $50 million transferred in the past 72 hours. However, it has also attracted malicious actors, including a wallet that rug pulled 29 memecoins, turning an initial investment of $100,000 into $1 million.
An address deployed 29 meme coins on @BuildOnBase and rugged every one of it.
— Scopescan (@0xScopescan) July 31, 2023
It deposits 55.51 $ETH ($103K) to #base and now the total portfolio value is ~$1.07M.
It's also a series rug-puller on #bsc & #Arbitrum https://t.co/NpZGwkPlTz pic.twitter.com/IORzKMWX8c
Conclusion
The incident highlights the risks associated with new and rapidly growing DeFi platforms. LeetSwap's quick action to pause trading and investigate the exploit demonstrates the importance of security measures in protecting user funds. As Base continues to grow, ensuring the security and integrity of its ecosystem will be crucial to maintaining user trust and fostering sustainable development.
