ParaSwap begins returning crypto after critical smart contract bug

Decentralized finance (DeFi) aggregator ParaSwap has begun returning crypto to users after addressing a critical vulnerability in its newly launched AugustusV6 smart contract last week.

The DeFi platform’s team posted a statement on X on March 24, stating it has returned all assets to wallets that were successfully recovered by white hat hackers and has also revoked permissions to AugustusV6.

According to ParaSwap, 213 addresses still have not revoked allowances to the flawed contract.

Revoking a smart contract usually involves disabling or terminating its functionality on a blockchain and preventing it from accessing the user’s wallet and tokens.

Last week, ParaSwap said it had discovered a vulnerability in a newly launched smart contract, but timely intervention by white hat hackers prevented a large loss of assets from the platform.

In a separate update, the team stated that it had taken the first step by submitting a comprehensive report to the appropriate authorities, kickstarting the investigation into the stolen funds.

ParaSwap is collaborating closely with blockchain analytics and security firms Chainalysis and TRM Labs and is “actively engaged in identifying hacker addresses and tracing the movement of the funds.”

The team added that they had initiated contact with the identified hacker addresses through on-chain messaging, urging the return of the stolen user funds.

If the hacker does not respond by March 27, “we will assume you appropriated the funds with unlawful intent, and we will pursue all criminal, legal, and administrative avenues” to recover them, it added.

At the time, the losses were reportedly small, with initial findings revealing that the hackers got away with just $24,000 before the vulnerability was discovered.

ParaSwap discovered the vulnerability in its newly launched AugustusV6 smart contract on March 20, only days after the Augustus contract went live on March 18, aiming to improve token swaps and reduce transfer fees.

The platform paused the application programming interface (API) after the discovery and secured the funds through a white hat hack.