AirSwap’s internal security team identified a potential exploit in a newly released mainnet smart contract. The vulnerability would allow an attacker to “perform a swap without requiring a signature from a counterparty.”
“Our team discovered a critical vulnerability in a new AirSwap smart contract. Read on to understand the steps we’ve taken to prevent the vulnerability from being exploited, and to determine whether you need to take immediate action. https://medium.com/fluidity/critical-vulnerability-in-a-new-airswap-smart-contract-c1204e04d7d3 … “
AirSwap claims that the offending code was only present for twenty-four hours on the network before being identified and removed. However, users of AirSwap Instant between Sept. 11 and Sept. 12 may have been affected by the vulnerability, with the report claiming that 10 accounts have been recognized so far as being at risk.
AirSwap has published the addresses to the vulnerable accounts, telling all other users that no further action is required. The report also outlines the step-by-step actions taken by the exchange in the aftermath of discovering the vulnerability, including an apology to its client base,
We would like to deeply apologize to our affected users for any inconvenience these vulnerabilities may have caused, and hope that the important lessons we continue to learn throughout these processes form the basis for a more open, secure, and efficient trading environment.