AirSwap, a peer-to-peer token trading network built on Ethereum, has disclosed that it has found a critical vulnerability in its newly released smart contract. Under certain conditions, the vulnerability would allow an attacker to perform a token swap without requiring a counterparty to sign off on the trade.
According to AirSwap, the vulnerability was only present in its system for less than 24 hours, with ten accounts identified as "at risk." After identifying the vulnerability, the AirSwap team rolled back its AirSwap Instant product to its original smart contracts. The team also contacted all affected users and "developed exploit code to proactively drain all vulnerable funds in the AirSwap contracts" into a withdrawal contract only accessible to the owner of the drained tokens.