On October 11, 2022, the Swap contract of the Rabby Wallet project on the ETH chain was attacked. The token exchange function in the contract is directly called externally through the functionCallWithValue function in the OpenZeppelin address library. The called target contract and calling data can be passed in by the user, but the parameters passed in by the user are not checked in the contract, causing problems with external calls.
Attackers exploit this issue to steal funds from users authorized by this contract.
Remind users who have used the contract to quickly cancel the contract authorization, withdraw funds, and avoid risks.
The Rabby Swap hacker has made over $190,000 so far with no further fund transfers.
The source of fees for the hacked addresses was Tornado Cash 10 BNB, and the tools used were Multichain, ParaSwap, PancakeSwap, Uniswap V3, and Trader Joe.
