On July 1, 2023, an attacker exploited a vulnerability in the Biswap V3 Migrator contract on Binance Smart Chain (BSC) and stole tokens worth approximately $140,000 from unsuspecting users. The attacker used a fake token attack to manipulate the parameters of the migration function and drained liquidity from users who had authorized their liquidity provider (LP) tokens to be transferred to the V3 Migrator contract. This attack was possible because the V3 Migrator contract did not validate the parameters when migrating from Biswap V2 to Biswap V3. If this attack had not been timely prevented, it could have caused Biswap losses of tens of millions of dollars in assets.

Transactions

The attacker executed three transactions to perform the attack:

https://bscscan.com//tx/0xe13ec0941580d3c286b46fa6566f20195bdd52b3d65fc7ff4a953a8fc774c6c4

https://bscscan.com//tx/0xe5c89e9ac217e4e16c2399f3597f7b5fbb73b45c1d3360788ee51ea2561def3a

https://bscscan.com//tx/0x8693a95f8481ba02ceaabed8e95b4e1eb8ac589c69c027c96b12ac5295714c3f

Attacker

The attacker's address is [0xa1e31b29f94296fc85fac8739511360f279b1976]

Attacked Contract

The attacked contract is [0x1d448e9661c5abfc732ea81330c6439b0aa449b5]. This contract was deployed by the attacker on June 30, 2023, the day before the attack. The contract has a simple logic, it calls the V3 Migrator contract with different parameters.

Target Contract

The target contract is [0x839b0afd0a0528ea184448e890cbaaffd99c1dbf]. This is the V3 Migrator contract deployed by Biswap on June 28, 2023. The contract aims to help users migrate their LP tokens from Biswap V2 to Biswap V3.

Attack Steps

The attacker exploited a vulnerability in the V3 Migrator contract, allowing them to manipulate the parameters of the migration function. The attack steps are as follows:

1. The victim authorized the LP token to the Biswap V3 Migrator contract;

2. The attacker burned the victim's V2 LP token and added fake tokens to the V3 liquidity. At this step, token 0 and token 1 of the V2 LP are still in the V3 Migrator contract;

3. The attacker burned the fake V2 LP token and added V2 token 0 and token 1 to the V3 liquidity. The excess token 0 and token 1 used to add V3 liquidity were transferred back to the attacker. At the same time, the V3 liquidity in this step also belongs to the attacker.

Root Cause

The fundamental cause of the attack is that the Biswap V3 Migrator contract did not verify the parameters when migrating from Biswap V2 to Biswap V3. In particular, there is a significant issue in the contract:

• The contract did not verify if the token 0 and token 1 parameters match the actual tokens in the V2 LP token

This issue allowed the attacker to pass fake tokens and amounts to the migration function, and steal real tokens from users who authorized the LP token to the V3 Migrator contract.

Key Code

Damaged Assets

The attacker [0xa1e31b29f94296fc85fac8739511360f279b1976] illicitly obtained up to $140,000 in assets

Fund Flow

The attacker withdrew liquidity in exchange for $BNB

In the end, the attacker sent 603 $BNB to Tornadocash for money laundering

PoC

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Biswap_exp.sol

Security Advice

It is strongly recommended that users revoke the authorization of Biswap V 3 Migrator: https://bscscan.com/tokenapprovalchecker

Conclusion

The attack on Biswap is a typical example of fake token attacks that exploit vulnerabilities in DEX on BSC to harvest funds from users and projects. This attack also highlights the importance of verifying the parameters and balances of contracts that handle user funds. Users should also be cautious when authorizing tokens to third-party contracts and check the source code and audit reports of contracts before using them. In response to this attack, Biswap has quickly implemented two countermeasures:

1. Request users to revoke authorization for the V 3 Migrator contract as soon as possible, so that attackers can no longer access their LP tokens;

2. Delete the tweets they have posted promoting V 3 migration and inform users about the migration of LP token earnings

If this attack is not stopped in time, all migration contracts of Biswap will suffer tens of millions of dollars in losses, as attackers can use fake tokens to move all liquidity from Biswap V 2 to Biswap V 3, which will be a devastating blow to Biswap and its users, as well as a serious setback for the development of DEX on BSC.