Decoding Elastic Swap’s $850K Exploit | QuillAudits


Introduction to Elastic Swap:

Check out the official docs for more information.

Vulnerability Analysis & Impact:

Avalanche Chain Details:

AVA Exploit txn: 0x782b2410fcc9449ead554a81f78184b6f9cca89f07ea346bc50cf11887cd9b18
TICvUSDC.e Contract: 0x4ae1da57f2d6b2e9a23d07e264aa2b3bbcaed19a

Ethereum Chain Details:

Original Attack Txn: 0xc2d86035f20389088b4277de6f13ca3f8bb819381b95e58359a22d0ad6f5cbda
MEV front-run txn: 0xb36486f032a450782d5d2fac118ea90a6d3b08cac3409d949c59b43bcd6dbb8f

The Attack

But for removeLiquidity, it uses token-balance-based accounting in which the balance of two tokens (baseToken and quoteToken) in the current pool is used to calculate the amount. See here.

Attack Steps:

  1. The attacker begins by adding liquidity to the TIC-USDC pool.

2. He then deposits $USDC.e directly into the TIC-USDC pool.

3. The attacker then removed the liquidity, causing the contract’s internal USDC reserve to become unbalanced.

4. Finally, when the pool became unbalanced, the attacker swapped USDC for TIC tokens and made a profit out of it.

Exploit in Ethereum:

After the Exploit :

Status of the fund:

AVA Chain:

ETH Chain:

Further Reference:

Similar projects secured by QuillAudits:

  1. Oboswap
  2. ArtSwap

Web3 security- Need of the hour

Want more Such Security Blogs & Reports?

Partner with QuillAudits :



Smart Contract Auditing Experts , Making web3 a safer place .

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store