2023.02.07 - LianGo

On February 7, 2023, LianGo protocol was exploited for around $1.62M. A month before the attack, the attacker created a malicious fake token. The fake token address was added to the contract of the LGT pool. As adding an address to the contract requires to be an owner of the contract, it is likely that the attacker compromised the private keys of the LGT Pool owner address. As a result, the attacker was able to mint fake LP tokens to the LGT pool and receive LGT tokens, without depositing any real funds. The LGT tokens were then swapped in PancakeSwap to 1.62M BSC-USD and transferred to another attacker address (which was also funded via Tornado cash). The LGT pool was drained and the LGT price dropped 97%. The stolen funds currently remain in the attacker's address.