Audit log

Every state-changing event for mySwap Starknet CL Protocol: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-24 23:06:17Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 428,686,254

   sig

   2R2QC24satPC…X7eNnzETcopyexplorer ↗

   hash

   B7yQZ3jHQ65H…iCysAQYGcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (11577 B) ▸

   {"actor":"system:backfill","investigation_id":"8866478f-a8d3-4e27-abb8-23f0338b8e27","kind":"publish","page_slug":"myswap-starknet-cl-protocol","published_at":"2026-06-24T23:06:17.278Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"mySwap Starknet CL Protocol","sections":[{"content":"mySwap launched as the first AMM on Starknet, a ZK-rollup Layer 2 network. It subsequently introduced a concentrated liquidity product, mySwap CL, enabling liquidity providers to deploy capital within specified price ranges for improved capital efficiency. According to DefiLlama, mySwap CL reached a peak total value locked of approximately $9.7 million in April 2024. TVL then declined sharply, falling roughly 99.9% to approximately $5,000 by mid-2025. The protocol closed its interface to new liquidity deposits and was functionally dormant for more than six months prior to the June 2026 exploit. At the time of the exploit, residual LP positions remained distributed across more than 100,000 positions in the shared vault.","heading":"Protocol Background","severity":"low","sources":[{"credibility":2,"name":"mySwap CL TVL and Volume - DefiLlama","type":"research","url":"https://defillama.com/protocol/myswap-cl"},{"credibility":2,"name":"mySwap Concentrated Liquidity on Starknet - Official Site","type":"official","url":"https://www.myswap.xyz/"}]},{"content":"On June 19, 2026, at approximately 7:15 AM UTC, the mySwap CL protocol was exploited via a smart contract vulnerability in its shared-vault accounting layer. The attacker deployed a malicious token named EVIL and used it to manipulate how the CL pool system recognized balances and released assets from the shared vault. The exploit was permissionless — it did not require any private-key compromise, admin-level access, or oracle manipulation. The mySwap CL design requires that pool balances, vault balances, and liquidity-provider claims remain aligned through every deposit, swap, and withdrawal. The attacker identified a failure in this alignment mechanism and used the EVIL token as an entry point into the accounting layer, triggering unauthorized asset releases. The protocol's dormant state — no new deposits accepted for six months prior — did not prevent the attack, as residual locked LP positions remained vulnerable.","heading":"June 2026 Exploit: Attack Mechanism","severity":"critical","sources":[{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"credibility":2,"name":"Starknet's mySwap Protocol Exploited, $300,000 Drained - Phemex News","type":"news_article","url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"},{"credibility":2,"name":"SlowMist Hacked Database - mySwap CL Entry","type":"research","url":"https://hacked.slowmist.io/"}]},{"content":"The exploit drained approximately $305,000 in assets from the mySwap CL shared vault. Confirmed stolen assets comprise: 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK tokens. These funds represent residual liquidity provider positions that remained locked in the protocol despite it having been closed to new deposits. The stolen assets were distributed across more than 100,000 LP positions, all of which were effectively drained in the attack. No recovery of funds has been confirmed as of the date of this report.","heading":"Financial Impact and Stolen Assets","severity":"critical","sources":[{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"credibility":2,"name":"Starknet's mySwap Protocol Exploited, $300,000 Drained - Phemex News","type":"news_article","url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"}]},{"content":"Following the drain of assets from the mySwap CL protocol, the attacker bridged the stolen funds cross-chain and routed them through Railgun, a privacy protocol designed to obscure transaction flows on EVM-compatible chains. The use of Railgun is consistent with deliberate efforts to prevent on-chain tracing and asset recovery. As of reporting, no attacker wallet address has been publicly identified by security researchers or the mySwap team. The cross-chain bridging and Railgun routing significantly reduce the probability of fund recovery through conventional on-chain forensics.","heading":"Post-Exploit Fund Movement and Obfuscation","severity":"high","sources":[{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"credibility":2,"name":"Starknet's mySwap Protocol Exploited, $300,000 Drained - Phemex News","type":"news_article","url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"}]},{"content":"mySwap confirmed the incident and stated it was assessing the full impact of the exploit. As of June 20, 2026, no detailed post-mortem, reimbursement plan, or remediation roadmap had been published. The incident was described by reporters as remaining at the alert stage pending an official mySwap post-mortem. No bug bounty payment or white-hat negotiation has been reported. Given the protocol's pre-existing dormant status and near-zero TVL at the time of the attack, the probability of a formal recovery or compensation program for affected LPs is unclear.","heading":"Protocol Response and Remediation","severity":"high","sources":[{"credibility":2,"name":"Starknet's mySwap Protocol Exploited, $300,000 Drained - Phemex News","type":"news_article","url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"},{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"}]},{"content":"This incident illustrates several risk factors relevant to dormant DeFi protocols. First, the attack demonstrates that protocols closed to new deposits are not inherently protected; residual locked positions remain vulnerable if smart contract logic is unpatched. Second, permissionless pool creation — a design feature of concentrated liquidity AMMs — enables attackers to introduce malicious tokens without any governance approval or access control bypass, lowering the bar for exploitation. Third, the shared-vault accounting architecture, which links multiple pools through a common settlement layer, can amplify the impact of a single accounting flaw across all pooled assets. Fourth, the absence of publicly identified security audits covering the EVIL-token attack vector suggests the vulnerability may not have been reviewed after the protocol entered dormancy. The Starknet ecosystem has seen parallel incidents during this period, including an exploit of the Ekubo swap router for $1.4 million, indicating broader smart contract risk across Starknet-native DeFi protocols.","heading":"Risk Factors and Systemic Observations","severity":"high","sources":[{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"credibility":2,"name":"Attackers drain $1.4M from Ekubo DeFi protocol - The Block","type":"news_article","url":"https://www.theblock.co/post/400189/attackers-drain-1-4m-in-wrapped-bitcoin-from-defi-protocol-ekubo-in-approval-based-exploit"}]}],"sources_used":[{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"credibility":2,"name":"Starknet's mySwap Protocol Exploited, $300,000 Drained - Phemex News","type":"news_article","url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"},{"credibility":2,"name":"mySwap CL TVL and Volume - DefiLlama","type":"research","url":"https://defillama.com/protocol/myswap-cl"},{"credibility":2,"name":"SlowMist Hacked Database","type":"research","url":"https://hacked.slowmist.io/"},{"credibility":2,"name":"mySwap Concentrated Liquidity on Starknet - Official Site","type":"official","url":"https://www.myswap.xyz/"},{"credibility":2,"name":"Attackers drain $1.4M in wrapped bitcoin from Ekubo DeFi protocol - The Block","type":"news_article","url":"https://www.theblock.co/post/400189/attackers-drain-1-4m-in-wrapped-bitcoin-from-defi-protocol-ekubo-in-approval-based-exploit"}],"summary":"mySwap is the first automated market maker deployed on Starknet, operating a concentrated liquidity (CL) protocol that reached a peak TVL of approximately $9.7 million in April 2024 before declining sharply to near-zero by early 2025. On June 19, 2026, an attacker exploited a shared-vault accounting vulnerability in the dormant CL protocol by deploying a fake token named EVIL, draining approximately $305,000 in residual LP assets. The stolen funds were bridged cross-chain and routed through Railgun; no recovery has been confirmed and the attacker remains unidentified.","timeline":[{"date":"2022-01","event":"mySwap launches on Starknet as the first AMM on the network.","source":"mySwap on X (formerly Twitter) account creation and Starknet ecosystem records","source_url":"https://x.com/mySwapxyz"},{"date":"2024-04","event":"mySwap CL reaches peak TVL of approximately $9.7 million according to DefiLlama.","source":"DefiLlama - mySwap CL","source_url":"https://defillama.com/protocol/myswap-cl"},{"date":"2024-07","event":"TVL begins sustained decline from $9.7M peak, falling to low single-digit millions and continuing downward through 2024.","source":"DefiLlama - mySwap CL","source_url":"https://defillama.com/protocol/myswap-cl"},{"date":"2025-01","event":"mySwap CL TVL reaches approximately $5,000, a decline of over 99.9% from peak. Protocol is effectively dormant, with no new deposits accepted.","source":"DefiLlama - mySwap CL","source_url":"https://defillama.com/protocol/myswap-cl"},{"date":"2026-06-19","event":"At approximately 7:15 AM UTC, an attacker deploys a fake EVIL token and exploits a shared-vault accounting vulnerability in mySwap CL, draining 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK — totaling approximately $305,000. Stolen assets are subsequently bridged cross-chain and routed through Railgun.","source":"CryptoAdventure - mySwap Loses $305K On Starknet","source_url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"date":"2026-06-20","event":"mySwap confirms the incident and states it is assessing the full impact. No post-mortem or recovery plan published as of this date.","source":"Phemex News - Starknet's mySwap Protocol Exploited","source_url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 3aa9b24f-ba60-4778-93eb-420db95e59f0copy