According to a report from blockchain security company CertiK on May 21st, the decentralized Finance (Defi) protocol WDZD swap was exploited on May 19, winning the use of Ether associated with $1.1 million worth of Binance. The Ether associated with Binance indicates that the Ether (ETH) of BNB Smart Chain (BSC) has been received by the bridge.

According to this report, an attacker conducted nine intentional transactions, consuming 609 ETH associated with Binance from contracts related to WDZD new projects, valued at $1.1 million at the time of the attack.

A new Defi project announced by WDZD to run on BSC. Promoted by the Twitter account @ DZDDAO, it already has more than 86000 fans. The Telegram channel connected to this account also has more than 28000 team members. Cointelegraph was unable to verify how the agreement worked, and Verification K indicated that the agreement "does not have 100% mastery of the entire system of the project." However, the program's interface implies that it can be used on a ranch with a token called "WDZD" in exchange for identifying ETH.

In an exchange with Cointelegraph on May 24th, one of the CertiK said in the report that the WDZD may also have been sold to Binance ETH consumers as part of the original DEX merchandise (IDO). CertiK shares a picture that looks like IDO's WDZD ad.

The BSC address at the bottom of the advertisement is 0xb75ac203c6fcba8d06659cd9c25a343598c6b627. Blockchain data show that there are more than 100 ETH transfers to the account. The account also migrates 460 ETH to another address and then applies it in the "add liquidity" function call to that address. Such notices are typically used to deposit property in the working capital pool in exchange for LP tokens.

The blockchain data indicates that the stored 460 ETH ended up in the "SWAP LP" contract at the BSC address 0xe0c352c56af65772ac7c9ab45b858cb43d22f28f.

On May 19th, a person labeled "FAKE_Phishing750" already knew that the attacker established the contract, which later removed the token from the agreement. Phishing _ Phishing750 launched an attack on another protocol called swap X, which was verified.

Once the intentional contract was created, the attacker used these to make nine transactions, withdrawing $1.1 million of ETH from the swap LP agreement that stored the ETH.

The SWAP LP contract is not certified by BSCScan, which means that people can read the code and cannot use it, so there is no way to determine exactly how the attacker ran out of money. However, CertiK claims that attackers can pass WDZD tokens to the protocol's factory address through unverified function calls. Subsequently, the WDZD is exchanged for a LP token, and the LP token is redeemed as a carrier ETH.

The report states: "the attacker controlled a low-level enable in the address of the SWAP-LP processing plant, triggering the correct 0x33604058 function formula for SwapLP." This causes all WDZD tokens in this pair to be transferred to the factory address. As a result, an attacker can get more swap LP from an unverified address 0x3c4e06d17e243e2cb2e4568249b6f7213c43c743, apply a lower WDZD, and then damage LP profits.

Related to:Project received $31.6 million on suspicion of withdrawing frauds.

Cointelegraph tried to contact WDZD SWAP with a message from the research team. However, the channel column forms an incorrect message "messages are allowed to be sent in this group", which means that if it has been set to allow only managers to post.

Internet hackers, swindlers and blankets plagued the login password community in 2023. On April 24, the numbered Financial Investment Corporation was reported to have conducted a pull-out, withdrawing more than $1 million from the contract. On May 2nd, attackers lost another $1 million when they exploited vulnerabilities in the Level Finance contract.

The company reported in May that losses from system vulnerabilities fell significantly in the first quarter, but the company also said it should be a "temporary reprieve".