This article is an original article by the chain catcher, authored by Hu Tao.

In the early hours of this morning, the cross-chain bridge project Chainswap was hacked again. More than 20 project tokens that deployed smart contracts on the bridge were stolen by hackers, which almost caused the most influential security incident in the history of DeF development.

According to the information released by several Twitter users, the hacker’s address is 0xEda5066780dE29D00dfb54581A707ef6F52D8113. Since the early morning of this morning, he has stolen more than 20 project tokens from the Chainswap cross-chain bridge contract. The projects involved include Antimatter, Corra, DAOventure, and FM Gallery. , Fei protocol, Fair Game, Rocks, Peri Finance, Strong, WorkQuest, Dora Factory, Unido, Unifarm, Wilder Worlds, Nord Finance, OptionRoom, Umbrella, Razor, Dafi Finance, Oropocket, KwikSwap, Vortex, Blank, Rai Finance, Sakeswap wait.

According to data from Etherscan and Bscscan, the hacker’s address has made approximately US$2.3 million in profits from the sale of tokens, and there are still tokens worth hundreds of thousands of dollars that have not yet been sold. According to the responses of some project parties, this may be because the developers have locked some of the stolen assets so that hackers cannot sell them. Currently, Chainswap has temporarily shut down its cross-chain bridge.

Twitter user @Christoph Michel analyzed this security incident, saying that each token has a proxy contract for cross-chain transfer, and the hacker must pay 0.005 ETH in _chargeFee as a fee when calling the contract, but this process has no real identity Validation check, only 1 signature is needed, the problem may be the _decreaseAuthQuota function, which resumes if the signer's quota for the day has been fulfilled. But everyone seems to start with the default quota. So the attacker just needs to sign the address differently each time to circumvent this. Then pass the `volume` parameter to the `to` attacker address in the _receive function.

Affected by this incident, ASAP, DVG, MATTER, NORD, DAFI, UMB, RAZOR, ROOM and other project tokens all experienced a drop of more than 40%. At present, nearly 10 affected project parties have responded to the matter on Twitter, and many of them are preparing to issue new tokens.

The Chainswap project tweeted that all ASAP token holders and LPs have been snapshotted, and new ASAP tokens will be airdropped 1:1, including ASAP holders on exchanges.

The OptionRoom project tweeted that Chainswap hackers obtained 3.3 million ROOM tokens, but the team noticed the hackers before the hackers sold any tokens, and decided to remove liquidity from Uniswap and Pancakeswap to protect token holdings. Owners and liquidity providers are protected from hackers selling into liquidity pools. Currently, the team is processing on-chain logs, and will airdrop new tokens to ROOM holders in the future.

The Antimatter project tweeted that it has taken a snapshot of all MATTER holders and LPs, and will airdrop new MATTER tokens 1:1, including MATTER holders on the exchange.

The Peri Finance project team tweeted that due to a vulnerability in Chainwap, the team has withdrawn all the liquidity of Uniswap and Pancakeswap. This is to prevent the hacker from selling the tokens he obtained and exhausting the liquidity.

The Dafi Finance project team tweeted that due to the attack on the Chainswap cross-chain bridge, hackers sold 200,000 DAFI, and the team will repurchase DAFI in the open market for 6 months. At the same time, the project reminds the community to withdraw liquidity from DEXs such as Uniswap as soon as possible.

The Rai Finance project tweeted that it was confirmed that Chainswap was severely attacked, and 700,000 RAI had been stolen and deposited into the hacker's Huobi account address. "Please bear with the temporary fluctuation of RAI price on the exchange. The team is in touch and monitoring the situation."

The Unifarm project tweeted that Chainswap is under attack, "They suggested that we cancel liquidity, we have already done so on Uniswap and Pancake Swap, and we ask the community to remove their liquidity as well until this problem is resolved. The project also said it had locked all of the hacker's UFARM tokens with developer access, so the hacker could not sell them.

The DAOventures project team tweeted that due to the attack on Chainswap, hackers acquired and sold 300,000 DVG worth $40,000, and the project will take a snapshot to compensate the affected DVG holders.

Previously, on July 2, Chainswap was also attacked by hackers. Some user tokens were actively withdrawn from the wallets interacting with ChainSwap. The total loss is estimated to be 800,000 US dollars. Chainswap stated that it has repurchased a small amount of affected tokens from the market And return the contract wallet, and the rest will be fully compensated by the Chainswap treasury.

Earlier in April, ChainSwap announced that it had completed a $3 million strategic round of financing, with participation from Alameda Research, OK Block Dream Fund, NGC Ventures, Spark Digital Capital, and Continue Capital.