QI Quadriga Initiative

Oct 2021 - WeDEX Flash Loan Attack - $100k (Global)

"WeDEX is a decentralized exchange based on Ethereum. WeDEX adopts the Loopring Protocol and Zkps technology, which greatly improves transaction speed and user experience on the premise of ensuring transaction security. WeDEX does not take any custody of user assets, each trade can be verified on the chain and the data is transparent in WeDEX. With on-chain data availability, the throughput is as high as 1400 trades per second. The user experience is comparable to centralized exchanges. Enjoy your crypto trading in WeDEX."

"WEDEX is the leading decentralized exchange on Binance Smart Chain, we bring the freedom and privacy for the user! Why pay more? WEDEX runs on Binance Smart Chain, a blockchain with much lower transaction costs than Ethereum or Bitcoin. Trading fees are lower than other top decentralized exchanges too, so that's a double win for you! Trade directly from your wallet app. Unlike centralized exchanges like Binance or Coinbase, WEDEX doesn’t hold your funds when you trade: you have 100% ownership of your own crypto."

"On October 18, 2021" "#WEDEX suffered a flash loan assisted attack. The attacker was able to gain profit from deposit and emergencyWithdraw operation."

"WeDEX lost $100K after an attacker was able to continuously call emergencyWithdraw() function due to a misconfiguration." "The incident caused by the #WEDEX unique feature, users can receive commissions ($DEX) when deposit LP tokens to WedexChef if the pool’s locking period not 0."

"When the variable emergencyLockingWithdrawEnable is "TRUE", the attacker can trigger the function emergencyWithdraw() to withdraw tokens without any explicit restrictions."

"The attacker repeated the steps “deposit-emergencyWithdraw” to generate more commissions. Lastly, the attacker amplified the profit by borrowing flash loans to manipulate the DEX price."

"Hey there dear community members! WEDEX contract is audited and listed, check the report by link below and stay safe."

Further Analysis

The WeDEX smart contract hot wallet was reportedly exploited for $100k. Shortly afterward, the team optained an audit. It's unclear if the team has done anything to compensate affected users.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

CreatureToadz NFT Theft > > < < MaskByte Discord Hacked

Sources/Further Reading

https://mobile.twitter.com/certikorg/status/1450124441007034377 (Jan 10)
https://bscscan.com/tx/0x85b1067d5940e79e1b54fc9a1efc09de1c2261f54dcdc8c126ead69a319c3ab5 (Jan 10)
CertiK Asset Tracing for Address bsc:0x63d150d18f666b9340aa3e4266e75708d3b40234 (Jan 10)
@certikorg Twitter (Jan 10)
https://bscscan.com/address/0x5296589ced165e9ef9e5ed92dd89d80a1a0c529f#code (Jan 10)
Wedex Review - YouTube (Jan 10)
https://www.dapp.com/app/wedex (Jan 10)
Wedex (Jan 10)
Wedex Intro - WEDEX (Jan 10)
GitHub - wedexapp/Audit (Jan 10)
@wedexApp Twitter (Jan 10)
@wedexApp Twitter (Jan 10)
No Title (Jan 10)
@certikorg Twitter (Jan 28)
https://mobile.twitter.com/CertiKCommunity/status/1450130484986535937 (May 30)
https://mobile.twitter.com/CertiKCommunity/status/1450124441007034377 (May 30)


Join Us!

Name: Email:

t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com

Sign-Ups: 92.1%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.