link.png

ID:

bitswift-1117

Date:

Status:

Incident Count:

December 8, 2021

Near-Miss

2

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

None

Loss Amount:

-

info.png

Recovered:

-

Rewards:

4,515

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Multi-chains

Dapp

Dexes

Near-Miss

Extended Method:

No permission checks defined to endpoints

info.png

Days in Operation:

1413

(3.87 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Bitswift.cash allows people to conveniently participate in the token economy, providing an accessible interface interconnecting blockchains, leaving the user in control of their own personal digital information.

The critical vulnerability was reported to Immunefi by a community security researcher. As its name suggests, the bug could lead to unlimited mint of the BCAD tokens, which the hacker could then trade via liquidity pools to other tokens and empty them out.

Luckily, BitSwift was quick in acknowledging the bug, made a payout of $4,515 to the whitehat, and patched this critical web bug vulnerability.

The endpoints were protected by checking whether the user who requested the resource is admin or not. If the request was placed by a non-admin it would be rejected. However, our researcher was able to identify that the /bcad/credit endpoint did not have any permission checks on it, and they were therefore able to request it without incurring any errors.

By initiating the above HTTP request, any attacker could have the ability to mint an unspecified amount of tokens into their account. They can then clean out any open liquidity pools with the token by trading against them until no value is left.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.