Project name: BiSwap

Project type: DEX

Date of exploit: June 30th, 2023

Asset loss: $865,000

Vulnerability: Lack of Input Validation

Date of audit report publishing:

• May 24th, 2021: Biswap
• Sep 10th, 2021: Biswap (Audit 4)
• Sep 05th, 2023: Biswap v3 amm (audit)

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Biswap is a DEX project, supporting swap, farm, staking, etc.

Nature of the Vulnerability

Root cause behind the incident is that the BiswapV3 Migrator failed to validate user input parameters, which allows the attacker to 1. migrate the victim user’s BiswapV2 LP to a bad tick and 2. use a fake BiswapV2 pair contract to deceive the migrator and receive BiswapV3 LP of the same tick. He then was able to drain the reserve of the migrator and steal the victim's V3 liquidity through the refund process in the MigratorV3 contract.

CertiK Audit Overview

Conclusion

On June 30th, 2023, the liquidity migrator contract of Biswap, for migrating liquidity from v2 to v3, was exploited. The vulnerable code is located on the MigratorV3 contract, which is not audited by Certik.