Verify a decision

{"actor":"system:backfill","investigation_id":"b1298889-6efa-4cbd-abcb-e2dc2a533ebb","kind":"publish","page_slug":"myswap-cl-protocol-starknet","published_at":"2026-06-25T23:27:27.489Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"mySwap CL Protocol (Starknet)","sections":[{"content":"mySwap launched as the first automated market maker on Starknet, a ZK-rollup Layer 2 network. It subsequently introduced a concentrated liquidity product, mySwap CL, positioning it as analogous to Uniswap v3 on Ethereum by enabling liquidity providers to deploy capital within specified price ranges for improved capital efficiency. According to DefiLlama, mySwap CL reached a peak total value locked of approximately $9.7 million in April 2024, after which TVL declined sharply by over 99.9% to approximately $5,000 by mid-2025. The protocol's cumulative all-time DEX volume was reported at approximately $622 million prior to the June 2026 exploit. By early 2024, mySwap was reportedly the second most active dApp on Starknet by number of active accounts. The protocol closed its interface to new liquidity deposits and was functionally dormant for more than six months prior to the June 2026 exploit.","heading":"Protocol Background","severity":"low","sources":[{"credibility":2,"name":"mySwap CL TVL and Volume - DefiLlama","type":"research","url":"https://defillama.com/protocol/myswap-cl"},{"credibility":3,"name":"mySwap: Leading Starknet's AMM Arena with the Best Yields - Braavos","type":"other","url":"https://braavos.app/myswap-starknet-amm/"},{"credibility":2,"name":"mySwap Concentrated Liquidity on Starknet - Official Site","type":"official","url":"https://www.myswap.xyz/"}]},{"content":"On June 19, 2026, at approximately 7:15 AM UTC, the mySwap CL protocol was exploited via a smart contract vulnerability in its shared-vault accounting layer. The attacker deployed a malicious ERC-20 token named EVIL and used it to manipulate how the CL pool system recognized balances and released assets from the shared vault. The exploit was permissionless — it did not require any private-key compromise, admin-level access, or oracle manipulation. The core vulnerability lay in insufficient validation boundaries between token interactions and the vault accounting layer. By interacting with pool accounting through the EVIL token, the attacker distorted balance recognition, creating a pathway into the shared vault holding real assets across multiple pools. The stolen assets comprised 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK tokens, totaling approximately $305,000. The attack drained funds from over 100,000 LP positions, effectively depleting nearly all remaining liquidity in the protocol. No private key compromise or administrative failure was alleged as contributing to the exploit.","heading":"June 2026 Exploit: EVIL Token Attack","severity":"critical","sources":[{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"credibility":2,"name":"Starknet's mySwap Protocol Exploited, $300,000 Drained - Phemex News","type":"news_article","url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"},{"credibility":2,"name":"SlowMist Hacked Database","type":"research","url":"https://hacked.slowmist.io/"}]},{"content":"Following the drain of assets from the mySwap CL protocol, the attacker bridged the stolen funds cross-chain off Starknet and subsequently routed them through Railgun, a zero-knowledge privacy protocol designed to obscure transaction flows. The use of Railgun is consistent with deliberate efforts to prevent on-chain tracing and impede asset recovery. As of the time of available reporting, no attacker wallet address had been publicly identified by security researchers or the mySwap team. The cross-chain bridging combined with Railgun routing significantly reduces the probability of fund recovery through conventional on-chain forensics.","heading":"Post-Exploit Fund Movement and Obfuscation","severity":"high","sources":[{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"credibility":2,"name":"Starknet's mySwap Protocol Exploited, $300,000 Drained - Phemex News","type":"news_article","url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"}]},{"content":"The mySwap CL protocol had ceased accepting new liquidity deposits for over six months prior to the exploit, indicating the product was in a winding-down or deprecated state. Despite this dormancy, over 100,000 LP positions remained locked in the protocol retaining real asset value. The attack succeeded against a system that was no longer under active development or receiving active security maintenance. The incident illustrates several structural risk factors in concentrated liquidity protocol design: (1) Permissionless pool creation — a feature of CL AMMs — allows attackers to introduce malicious tokens without governance approval or access control bypass, lowering the barrier to entry for accounting exploits. (2) Shared-vault architecture linking multiple pools through a single settlement layer can amplify a single accounting flaw across all pooled assets. (3) Deprecated protocols that retain locked user funds without continued security review present a persistent, unmitigated attack surface. The post-exploit TVL on DefiLlama stood at approximately $5,215, consistent with near-total depletion of liquidity.","heading":"Protocol Dormancy and Systemic Risk Factors","severity":"high","sources":[{"credibility":2,"name":"mySwap CL TVL and Volume - DefiLlama","type":"research","url":"https://defillama.com/protocol/myswap-cl"},{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"credibility":2,"name":"Starknet's mySwap Protocol Exploited, $300,000 Drained - Phemex News","type":"news_article","url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"}]},{"content":"As of June 20, 2026, mySwap confirmed the incident and stated it was assessing the full impact of the exploit. No detailed technical post-mortem, reimbursement plan, or formal security advisory had been published by the protocol team at the time of available reporting. The absence of a post-mortem within the initial reporting window is a transparency concern given that more than 100,000 LP positions were affected. The incident was described in reporting as remaining at the alert stage pending a formal mySwap analysis. No bug bounty payment or white-hat negotiation has been reported. Given the protocol's pre-existing dormant status and near-zero TVL, the likelihood of a formal compensation program for affected liquidity providers is uncertain.","heading":"Official Response and Transparency","severity":"high","sources":[{"credibility":2,"name":"Starknet's mySwap Protocol Exploited, $300,000 Drained - Phemex News","type":"news_article","url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"},{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"}]},{"content":"The mySwap exploit occurred during a period of elevated DeFi security incidents in mid-2026. The Starknet ecosystem has seen parallel smart contract vulnerabilities during this period, with reporting noting other Starknet-native protocol exploits. The attack vector — a permissionless malicious token interaction manipulating shared vault accounting — represents a class of vulnerability applicable to any CL AMM that does not enforce strict token allowlisting or balance-validation invariants. The use of Railgun for post-exploit fund concealment has been observed in multiple DeFi security incidents and presents ongoing challenges for incident response and fund recovery.","heading":"Broader Starknet Ecosystem Security Context","severity":"medium","sources":[{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"credibility":2,"name":"SlowMist Hacked Database","type":"research","url":"https://hacked.slowmist.io/"}]}],"sources_used":[{"credibility":2,"name":"mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting - CryptoAdventure","type":"news_article","url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"credibility":2,"name":"Starknet's mySwap Protocol Exploited, $300,000 Drained - Phemex News","type":"news_article","url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"},{"credibility":2,"name":"mySwap CL TVL and Volume - DefiLlama","type":"research","url":"https://defillama.com/protocol/myswap-cl"},{"credibility":2,"name":"mySwap TVL and Volume - DefiLlama","type":"research","url":"https://defillama.com/protocol/myswap"},{"credibility":2,"name":"SlowMist Hacked Database","type":"research","url":"https://hacked.slowmist.io/"},{"credibility":2,"name":"mySwap Concentrated Liquidity on Starknet - Official Site","type":"official","url":"https://www.myswap.xyz/"},{"credibility":3,"name":"mySwap: Leading Starknet's AMM Arena with the Best Yields - Braavos","type":"other","url":"https://braavos.app/myswap-starknet-amm/"},{"credibility":3,"name":"mySwap on X (@mySwapxyz)","type":"social_media","url":"https://x.com/mySwapxyz"}],"summary":"mySwap launched in 2022 as the first automated market maker on Starknet and later introduced a Concentrated Liquidity (CL) product that reached a peak TVL of approximately $9.7 million in April 2024 before declining sharply to near-zero. On June 19, 2026, an attacker deployed a malicious token named EVIL to abuse the protocol's CL pool accounting and shared vault logic, draining approximately $305,000 in residual LP assets from over 100,000 positions. The stolen funds were bridged cross-chain and routed through Railgun; no recovery or formal post-mortem has been confirmed.","timeline":[{"date":"2022-03-01","event":"mySwap launches as the first AMM on Starknet mainnet, initially supporting ETH, USDC, DAI, and WBTC pools.","source":"Braavos Blog","source_url":"https://braavos.app/myswap-starknet-amm/"},{"date":"2023-11-28","event":"mySwap announces migration from the legacy constant-product AMM to mySwap Concentrated Liquidity (CL), offering a 14-day migration window with an incentive reward for users who migrate.","source":"mySwap on X (@mySwapxyz)","source_url":"https://x.com/mySwapxyz/status/1729807820365660315"},{"date":"2024-04-01","event":"mySwap CL reaches peak total value locked of approximately $9.7 million according to DefiLlama.","source":"DefiLlama - mySwap CL","source_url":"https://defillama.com/protocol/myswap-cl"},{"date":"2025-06-01","event":"mySwap CL TVL falls to approximately $5,000, a decline of over 99.9% from its April 2024 peak. Protocol is effectively dormant, with no new deposits accepted.","source":"DefiLlama - mySwap CL","source_url":"https://defillama.com/protocol/myswap-cl"},{"date":"2026-06-19","event":"At approximately 7:15 AM UTC, an attacker deploys a malicious token named EVIL on Starknet and uses it to abuse mySwap CL pool accounting and shared vault logic, draining 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK — approximately $305,000 in total — from over 100,000 LP positions.","source":"CryptoAdventure","source_url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"date":"2026-06-19","event":"Attacker bridges stolen assets off Starknet and routes funds through the Railgun privacy protocol to obscure transaction flows. Protocol liquidity is nearly entirely depleted.","source":"CryptoAdventure","source_url":"https://cryptoadventure.com/myswap-loses-305k-on-starknet-after-fake-evil-token-abuses-cl-pool-accounting/"},{"date":"2026-06-20","event":"mySwap confirms the incident publicly, stating it is assessing the full impact. No post-mortem, recovery plan, or reimbursement announcement is issued as of this date.","source":"Phemex News","source_url":"https://phemex.com/news/article/starknets-myswap-protocol-exploited-300000-drained-90069"}]},"v":1}