Bitswift.cash allows people to conveniently participate in the token economy, providing an accessible interface interconnecting blockchains, leaving the user in control of their own personal digital information.

The critical vulnerability was reported to Immunefi by a community security researcher. As its name suggests, the bug could lead to unlimited mint of the BCAD tokens, which the hacker could then trade via liquidity pools to other tokens and empty them out.

Luckily, BitSwift was quick in acknowledging the bug, made a payout of $4,515 to the whitehat, and patched this critical web bug vulnerability.

The endpoints were protected by checking whether the user who requested the resource is admin or not. If the request was placed by a non-admin it would be rejected. However, our researcher was able to identify that the /bcad/credit endpoint did not have any permission checks on it, and they were therefore able to request it without incurring any errors.

By initiating the above HTTP request, any attacker could have the ability to mint an unspecified amount of tokens into their account. They can then clean out any open liquidity pools with the token by trading against them until no value is left.