Skip to content
Est. MMXXVIVol. VI · № 301RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 296Smart Contract Bug

mySwap Fake-Token Pool Accounting Exploit

An attacker minted a worthless EVIL token to distort mySwap's concentrated-liquidity pool accounting on Starknet and drained about $305K of residual LP funds.

Date
Victim
mySwap (mySwap CL)
Chain(s)
Starknet
Status
Funds Stolen

On June 19, 2026, mySwap — a concentrated-liquidity AMM on Starknet — was exploited for approximately $305,000 after an attacker abused the protocol's pool-accounting logic with a worthless token. The drain began around 07:15 UTC and nearly emptied the remaining liquidity held in the protocol's shared vault.

What happened

The attacker deployed a fake token named EVIL and used it to distort the accounting path that ties mySwap's concentrated-liquidity (CL) pools to their shared vault. Because the vault's bookkeeping trusted balances reported through an attacker-controlled token, a permissionless interaction let the attacker inflate their claim and withdraw real assets that other liquidity providers had supplied. On-chain trackers tallied the haul as roughly 137.96 ETH, 45,000 USDC, 19,900 USDT and 230,000 STRK. Crucially, mySwap's interface had been closed to new liquidity deposits for over six months, so the drained balances were mostly residual LP positions spread across more than 100,000 stale positions — a dormant surface that no one was actively watching. The attacker then bridged the proceeds off Starknet and routed them through Railgun to break the on-chain trail.

Aftermath

The exploit drew the remaining liquidity out of the affected pools almost entirely. Because the funds were quickly laundered through Railgun, no recovery had been reported at the time of writing, and there was no white-hat return or negotiated settlement. The incident underscores how a protocol that is effectively wound down — but whose contracts are still live and still holding residual user funds — remains a standing target long after its team has moved on.

Why it matters

mySwap is a reminder that dormant DeFi contracts are not dead contracts: as long as a vault holds value and accepts permissionless interactions, its accounting is an attack surface even when the front end is dark. The fake-token vector mirrors BnbLabubu, where a manipulated token parameter triggered pool-draining math on a PancakeSwap pair, and it joins zkLend as another Starknet protocol felled by exploitable internal accounting rather than a broken cryptographic primitive. For AMMs, the safest residual pool is one whose contracts have been fully drained or frozen — leftover liquidity in a deprecated vault is liability, not legacy.

Sources & on-chain evidence

  1. [01]phemex.comhttps://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069
  2. [02]cryptoadventure.comhttps://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/
  3. [03]hacked.slowmist.iohttps://hacked.slowmist.io/

Related filings