Decentralized finance (DeFi) protocol WDZD Swap was targeted in an attack on May 19, resulting in the loss of $1.1 million worth of Binance-Pegged Ether, as revealed by blockchain security firm CertiK in a report on May 21. The attacker, known as “Fake_Phishing750” on BSCScan, executed nine malicious transactions that drained 609 Binance-Pegged ETH from a contract associated with the WDZD project.
WDZD Swap is a DeFi project operating on the Binance Smart Chain (BSC) and promoted by the Twitter account @DZDDAO, which boasts over 86,000 followers. While the mechanics of the project were not entirely clear to CertiK, the user interface suggests that it enables users to farm the WDZD token in exchange for staking ETH. CertiK also uncovered evidence suggesting that WDZD may have been sold to users in an initial DEX offering (IDO).
The attack involved the creation of a malicious contract by Fake_Phishing750, which was used to drain the funds from the Swap LP contract where the ETH had been deposited. The specifics of how the attacker carried out the exploit remain unclear due to the unavailability of human-readable code for the Swap LP contract. However, CertiK explained that the attacker manipulated a low-level call in the Swap-LP factory address, resulting in the transfer of WDZD tokens to the factory address. Subsequently, the attacker acquired a larger number of SWAP LPs using fewer WDZD tokens and profited from burning the LPs.
Attempts to contact WDZD Swap through their Telegram channel were unsuccessful, with messages being restricted to admin posts only. The attack on WDZD Swap adds to the list of hacks, scams, and rug pulls that have plagued the crypto community in 2023. CertiK noted that while exploit losses declined in the first quarter, this might only be a temporary reprieve.