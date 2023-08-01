LeetSwap, a decentralized trading platform on the Base chain, was hacked on August 1, 2023, resulting in an attacker profiting approximately $624,000, according to SlowMist security team's intelligence.

The primary cause of the attack lies in the Pair contract, which allows the externally-callable _transferFeesSupportingTaxTokens function to transfer any given number of specified tokens in the contract to the fee-charging address. Initially, the attacker conducted a normal small-amount swap operation, acquiring tokens necessary for the following swap. The attacker then called the _transferFeesSupportingTaxTokens function to transfer almost all tokens from one party in the pair to the fee-charging address, disrupting the balance of liquidity in the Pair.

Finally, the sync function was called to rebalance the pool, followed by a reverse swap to obtain more ETH than anticipated.



