Analysis2023-07-11
How a Fake Token Attack Drained $144,000 from Biswap Users on BSC

Daniel Tan
Security Operation / Audit
Summary
Attacker exploited a vulnerability in the Biswap V3Migrator contract on BSC and stole about $144,000 worth of tokens
Summary
On July 1st, 2023, an attacker exploited a vulnerability in the Biswap V3Migrator contract on Binance Smart Chain (BSC) and stole about $144,000 worth of tokens from unsuspecting users. The attacker used a fake token attack to manipulate the parameters of the migration function and siphon off the liquidity from users who approved their liquidity provider (LP) tokens to the V3Migrator contract. The exploit was possible because the V3Migrator contract did not validate the parameters when migrating from Biswap V2 to Biswap V3. It could have resulted in losses of tens of millions of dollars for its users if this attack had not been stopped in time.
Transactions
The attacker executed three transactions to carry out the exploit: https://bscscan.com//tx/0xe13ec0941580d3c286b46fa6566f20195bdd52b3d65fc7ff4a953a8fc774c6c4 https://bscscan.com//tx/0xe5c89e9ac217e4e16c2399f3597f7b5fbb73b45c1d3360788ee51ea2561def3a https://bscscan.com//tx/0x8693a95f8481ba02ceaabed8e95b4e1eb8ac589c69c027c96b12ac5295714c3f
Attacker
The attacker’s address is [0xa1e31b29f94296fc85fac8739511360f279b1976].
Attacking Contract
The attacking contract is [0x1d448e9661c5abfc732ea81330c6439b0aa449b5]. This contract was deployed by the attacker on June 30th, 2023, one day before the exploit. The contract has a simple logic that calls the V3Migrator contract with different parameters.
Attacked Contract
The attacked contract is [0x839b0afd0a0528ea184448e890cbaaffd99c1dbf]. This is Biswap’s V3Migrator contract that was deployed on June 28th, 2023. The contract is supposed to help users migrate their LP tokens from Biswap V2 to Biswap V3.
Attacking Steps
The attacker exploited a flaw in the V3Migrator contract that allowed them to tamper with the parameters of the migration function. The attacking steps are as follows:
- Victims approved LP tokens for the Biswap V3Migrator contract;
- The attacker burned the victim’s V2 LP token and added V3 liquidity with fake tokens. At this step, the
token0
andtoken1
of V2 LP were still in the V3Migrator contract; - The attacker burned the fake V2 LP token and added V3 liquidity with
token0
andtoken1
of V2 LP. Finally, the surplustoken0
andtoken1
that were not used to add the V3 liquidity were transferred back to the attacker. At the same time, the V3 liquidity in this step also belonged to the attacker.
Root Cause
The root cause of the exploit is that Biswap’s V3Migrator contract did not validate the parameters when migrating from Biswap V2 to Biswap V3. Specifically, there is a significant issue in the contract:
The contract does not verify that the token0
and token1
parameters match with the actual tokens in the V2 LP token;
These issues allow the attacker to pass fake tokens and amounts to the migration function and steal the real tokens from the users who approved LP tokens to the V3Migrator contract.
Key Code
Asset Loss
0xa1e31b29f94296fc85fac8739511360f279b1976 get a profit of ~$144,000
Financial Flows
The attacker removed the liquidity and swapped tokens for $BNB
Finally, the attacker transferred 603 $BNB into Tornadocash for money laundering.
PoC
https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Biswap_exp.sol
Suggested Solution
Highly recommend users revoke their approval to Biswap V3Migrator from https://bscscan.com/tokenapprovalchecker
Conclusion
The Biswap exploit is another example of how fake token attacks can be used to exploit DEXes on BSC. The exploit shows the importance of validating the parameters and balances of contracts that handle user funds. Users should also be careful when approving their tokens to third-party contracts and check the source code and audits of the contracts before using them.
As the leading web3 security service provider, MetaTrust Labs was the first to discover this attack and report it to Biswap on Twitter on July 1st. MetaTrust Labs also provided Biswap with two suggestions to stop the attack and prevent further losses:
- Ask users to revoke their approvals for the V3Migrator contract as soon as possible, so that the attacker could not access their LP tokens anymore;
- Delete their own tweet that promoted the V3 migration and informed users about the benefits of migrating their LP tokens, as this tweet could mislead users into falling victim to the attack.
If this attack had not been stopped in time, all of Biswap’s migration contracts would have suffered losses of tens of millions of dollars. This would have been a devastating blow to Biswap and its users, as well as a serious setback for the development of DEXes on BSC.
About Us
At MetaTrust, our primary focus is on creating a secure infrastructure that caters to the needs of developers in the WEB 3.0 space. We offer an array of AI-Driven automation tools and security services to assist Web3 developers and project stakeholders in achieving a secure development environment.
Website || Twitter || Telegram || MetaScan for FREE

Daniel Tan
Security Operation / Audit
Share this article
Summary
Attacker exploited a vulnerability in the Biswap V3Migrator contract on BSC and stole about $144,000 worth of tokens
@2023 by MetaTrust Labs Pte. Ltd. All Rights Reserved