Skip to content
- mySwap lost up to $305,000 after a bogus token manipulated pool balance calculations.
- F12 Security said the attacker took ETH, USDC, USDT, and STRK from mySwap’s shared vault.
- Stolen assets were bridged across networks and routed through Railgun, F12 Security said.
mySwap, a Starknet exchange, was exploited on Friday, draining about $300,000 to $305,000 from concentrated liquidity pools. Blockchain security firm F12 Security disclosed that the attacker targeted protocol liquidity accounting, not users directly. The incident affected funds held in smart contracts.
F12 Security placed the exploit at about 7:15 a.m. UTC. It said the attacker deployed a fraudulent token called “EVIL” and then introduced it into mySwap’s concentrated liquidity pools containing remaining funds. The token was allegedly used to manipulate accounting linked to pool balances and asset pricing during the exploit.
Also Read: Oman Introduces Mandatory Bitcoin Mining Pool in Major Crypto Regulation Move
Fake Token Exploit Drains mySwap Liquidity Vault
According to the security firm, the contracts accepted the fake asset within the affected pool structure. This reportedly disrupted the calculations used to track balances and values inside the pools. The resulting gap allowed the exploiter to remove genuine assets from the shared vault without reported administrator access or stolen keys, according to the report.
F12 Security said 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK were taken from the vault. Those assets represented the estimated loss range cited by the firm after the exploit. The report described the breach as a liquidity-system attack, not an attack on individual account holders or their wallets.
After the withdrawal, the attacker reportedly bridged the assets across several blockchain networks to conceal their later route. F12 Security also said the funds passed through Railgun after the bridges. That use of a privacy protocol could make later movements more difficult to trace through public transaction records.
mySwap confirmed the incident in an X post after the attack. The exchange said its interface had stopped taking new liquidity more than six months earlier. Yet, remaining funds were still spread across over 100,000 small liquidity positions held in its smart contracts at the time of the attack.
mySwap Loss Follows Aztec and Axelar Security Incidents
The team said almost all liquidity still left in the system was drained. It did not provide a breakdown of losses across individual positions or affected tokens. The information cited also did not include a recovery plan or a timeline for further action from the exchange.
The mySwap incident followed another reported DeFi loss involving Aztec Network’s private rollup bridge. PeckShieldAlert reported about $2.165 million in losses from that event a day earlier. Its figures included 1,158 ETH, 150,000 DAI, and a small amount of renBTC.
Axelar also disclosed a separate issue affecting assets bridged to Secret Network earlier on Friday. The network said approximately $4.67 million worth of tokens was taken through a problem in a smart contract system used for cross-chain transfers. It said the issue involved assets moved from Axelar to Secret.
Figures cited in the report put losses from comparable exploits at around $328 million by mid-May 2026. The reported cases included the KelpDAO–LayerZero, Drift Protocol, THORChain, and Verus Protocol incidents. The mySwap breach adds another reported case involving DeFi liquidity pools and smart-contract accounting.
Also Read: Solana Hosts Moody’s Ratings On-Chain for Tokenized RWA Assets
