Full Report
BabySwap is a trading platform on BNB chain. When performing a swap call, the address of the factory is used controlled. With proper input validation, this would be okay. However, this factory could return a fake token pair for BabySwap. The fake pair, with the proper interfaces implemented, performs fake swaps. Although this doesn't seem like a big deal, it's pretty terrible. Since the contract thinks that it was a real swap, it records rewards. By inflating the cost of the rewards with the fake trades, the attacker can take a lot of money from th contract. Real BABY tokens from the fake swap.
Analysis Summary
# Vulnerability: BabySwap Factory Parameter Injection and Reward Inflation
## CVE Details
- **CVE ID**: N/A (Standard for many DeFi exploits; often tracked by audit firm IDs)
- **CVSS Score**: 9.3 (Critical) - *Estimated based on direct financial loss potential*
- **CWE**: CWE-20 (Improper Input Validation) / CWE-670 (Always-Incorrect Control Flow Implementation)
## Affected Systems
- **Products**: BabySwap Trading Platform (Smart Contracts)
- **Versions**: Legacy Router and Reward Contract (prior to remediation)
- **Configurations**: Smart contracts deployed on BNB Chain (formerly BSC) that allow user-defined `factory` addresses during swap execution.
## Vulnerability Description
The vulnerability stems from a lack of validation on the `factory` parameter within the BabySwap Router contract. In a standard Uniswap-style fork, the factory determines the address of the liquidity pair.
In this instance, an attacker can pass a malicious contract address as the `factory`. When the Router calls this fake factory, it returns a fake "Token Pair" contract controlled by the attacker. This fake pair implements the expected swap interfaces but performs no actual trading. Because the BabySwap ecosystem utilizes a trade-to-earn rewards mechanism (BABY tokens), the protocol's reward contract observes these "swaps" as legitimate high-volume activity. By inflating the cost and volume of these fake trades via the malicious factory, the attacker triggers massive disbursements of BABY reward tokens.
## Exploitation
- **Status**: Exploited in the wild
- **Complexity**: Medium (Requires deployment of malicious smart contracts)
- **Attack Vector**: Network (Smart Contract Interaction)
## Impact
- **Confidentiality**: None
- **Integrity**: High (Manipulation of reward logic and token distribution)
- **Availability**: High (Drainage of protocol-held BABY token reserves)
## Remediation
### Patches
- The BabySwap team has reportedly updated the contract logic to whitelist authorized factories or utilize a hardcoded factory address to prevent arbitrary injection.
### Workarounds
- **User Side**: No action required, but users should ensure they are interacting with the latest audited Router UI.
- **Protocol Side**: Immediate suspension of the reward mechanism for non-whitelisted pairs/factories was necessary to halt the drain.
## Detection
- **Indicators of Compromise**:
- Transactions calling `swap` functions with non-standard `factory` addresses.
- Abnormally high volumes of `BABY` rewards being claimed by a single address or a cluster of new addresses.
- **Detection Methods and Tools**:
- Blockchain explorers (BscScan) to monitor the `Reward` contract for large `transfer` events.
- Transaction trace analysis via tools like Phalcon (BlockSec).
## References
- **Twitter/X BlockSec Advisory**: hxxps[://]x[.]com/BlockSecTeam/status/1529124317666324480
- **Phalcon Attack Transaction Trace**: hxxps[://]phalcon[.]blocksec[.]com/tx/bsc/0xcca7ea9d48e00e7e32e5d005b57ec3cac28bc3ad0181e4ca208832e62aa52efe
- **Official Project Handle**: hxxps[://]x[.]com/babyswap_bsc