AirSwap’s team announced its findings and a possible solution for all potentially affected users in a Medium post published on Sept. 13.
A limited vulnerability
Per the release, on Sept. 12 AirSwap’s development team found a vulnerability in a new smart contract, which has already been reverted to an older version in under 24 hours after the discovery. The exploit in question could have allowed an attacker to perform a swap without requiring a signature from a counterparty under certain conditions. The scope of the vulnerability is reportedly limited:
“The affected code was present in the AirSwap system for under 24 hours, and only affects some users of AirSwap Instant between midday September 11th and early morning of September 12th. We initially identified 20 vulnerable addresses matching this pattern and quickly reduced it to 10 accounts that are currently at risk.”
Only nine addresses are at risk
AirSwap notes that the exploitable smart contract was reverted immediately after the issue has been detected and that “both the AirSwap Instant and Trader products are no longer affected by the vulnerability.” The release also discloses the nine Ethereum addresses that used the exploitable functionality during that time period.
It is noted that only the owners of those nine addresses are required to take any action to prevent loss of funds. More precisely, it is necessary that they revoke the authorization for the vulnerable smart contract by visiting the following link.