The decentralized exchange LeetSwap, operating on Coinbase’s Base network, fell victim to a sophisticated smart contract exploit on August 1, 2023, resulting in the loss of over 340 ETH—valued at approximately $636,000 at the time. The attack exposed critical vulnerabilities in access control mechanisms that continue to plague decentralized finance protocols.
The Exploit Mechanics
The attacker identified and exploited a publicly exposed function named _transferFeesSupportingTaxTokens within LeetSwap’s smart contract infrastructure. This function, which should have been restricted to authorized addresses only, was accessible to any external caller on the network.
The attack sequence followed a methodical pattern. First, the attacker swapped WETH for a targeted token within a LeetSwap liquidity pool. Then, using the exposed fee transfer function, they transferred the token while simultaneously invoking the pool’s sync function. This manipulation artificially inflated the token’s price within the pool. Finally, the attacker swapped the now-overvalued tokens back for WETH, draining the liquidity pool at a significant profit.
This was not an isolated incident targeting a single pool. The attacker systematically repeated this process across multiple LeetSwap liquidity pools, compounding the total losses well beyond the initial 340 ETH figure.
Affected Systems
The exploit specifically targeted LeetSwap’s deployment on the Base network, a Layer 2 scaling solution built by Coinbase on top of Optimism’s OP Stack. At the time, Base was in its early days of public availability, having launched its mainnet to developers just weeks prior. The attack contract was deployed at address 0xea8f89, with the vulnerable contract located at 0x94dac4 on Base.
The broader DeFi ecosystem was already reeling from the Curve Finance exploit that occurred just two days earlier on July 30, 2023, which exploited a Vyper compiler reentrancy vulnerability and resulted in over $24 million in losses. Together, these incidents contributed to a staggering $390 million in total losses across the crypto sector during July 2023 alone, according to De.Fi’s monthly Rekt Report published on August 1.
The Mitigation Strategy
Security researchers from CredShields analyzed the attack and identified several critical mitigation measures. The primary recommendation was implementing proper access control using OpenZeppelin’s “onlyOwner” modifier to restrict sensitive function calls to authorized addresses. Additionally, function visibility should be carefully audited to ensure internal functions are not inadvertently exposed as public.
Comprehensive test coverage is essential to validate all business logic paths and edge cases. Professional smart contract audits from reputable security firms can identify these vulnerabilities before deployment, saving projects from catastrophic losses.
Lessons Learned
The LeetSwap exploit underscores a persistent challenge in DeFi security: access control failures remain one of the most common and devastating vulnerability classes. Despite the availability of well-established patterns and libraries for implementing access restrictions, new projects continue to deploy contracts with improperly secured functions.
The timing of this attack, coming just 48 hours after the Curve Finance exploit, highlights the cascading nature of DeFi security incidents. When attackers identify a successful exploit pattern, they often scan for similar vulnerabilities across other protocols, leading to clusters of attacks within short timeframes.
User Action Required
Users who interacted with LeetSwap on Base should immediately check their wallet transactions for any unauthorized activity. Liquidity providers should withdraw their funds from any affected pools. All DeFi users should exercise heightened caution when interacting with newly launched protocols, particularly those on recently deployed networks like Base was at the time. Always verify that a protocol has undergone professional security audits before committing significant capital.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
a publicly exposed _transferFeesSupportingTaxTokens function… thats not even a bug, thats just negligence. access control 101
its worse than negligence. they probably copied a template and didnt even think about access modifiers. seen it a dozen times on new L2 launches
access control 101 and a team building on a new L2 skipped it. the rush to deploy on base was real, everyone wanted to be first and security was an afterthought
340 ETH gone because someone forgot to add a modifier. this is why i stick to audited protocols only
audited protocols get exploited too though. the issue here is base network being new with fewer mature tooling options for teams to use
fair point on tooling but base was literally weeks old when this happened. teams deploying serious TVL on a chain with no audit infrastructure was the real problem
the attack pattern is actually clever though. inflate via sync then dump. simple but effective on unaudited contracts
the attack pattern is textbook at this point. same playbook we saw with dozens of Defi exploits in 2022