AirSwap’s New Smart Contract Causes Critical Vulnerability On Users’ Accounts, Ten Accounts At Risk
AirSwap, an Ethereum based peer to peer decentralized exchange announced a “critical vulnerability” in their new smart contract release during the weekend. The internal security review processes picked out a loophole in the new AirSwap Instant smart contract in about 20 user addresses. The AirSwap team quickly halted any possible attacks on the over half the affected accounts with nine accounts still at risk.
The attack in question allows a counterparty to swap digital assets using the accounts at risk without the need of a signature under specified conditions.
Quick Response on the Matter
In less than 24 hours, the team had detected the vulnerability in the new smart contract and quickly reverted the old system. Upon realization however, 20 user accounts had already been affected between September 11 and September 12. The team stopped the smart contract rescuing over 10 of the accounts and the list below shows the remaining nine accounts at risk.
The nine addresses still at risk from the new smart contract by AirSwap. Follow this link to deny authorization. (Source: Medium)
The Medium announcement confirmed all other accounts in the network are safe and called on the owners of the accounts above to contact this link to keep their account safe.
The affected users are urged to reclaim their tokens using the refundETH method. The report read,
“Affected users who held WETH can reclaim their tokens by calling the refundEth method on your full balance on the refund contract. Note that you must first revoke authorization for the AirSwap wrapper or your refunded funds will be at risk.”
Despite the challenges in their smart contract development, the AirSwap team aims to learn from this and
“form the basis for a more open, secure, and efficient trading environment.”