ParaSwap “Investigating” Possible Private Key Hack
Blockchain security firm Supremacy Inc. alerted ParaSwap to a potential exploit early Tuesday. “Your deployer address private key may have been compromised,” the team wrote.
Share this article
ParaSwap confirmed it was investigating the incident.
ParaSwap “Investigating” Address Issue
ParaSwap may have suffered a hack, blockchain security firm Supremacy Inc. has reported.
1/ Hi @paraswap ,I heard that you want to see this? your deployer address private key may have been compromised (possibly due to Profanity vulnerability) and funds have been stolen on multiple chains.https://t.co/ijHaTwAj0l
— Supremacy Inc. (@Supremacy_CA) October 11, 2022
Supermacy Inc. first alerted ParaSwap to an issue in a Tuesday tweet storm. “Your deployer address private key may have been compromised (possibly due to Profanity vulnerability),” the warning read. “Funds have been stolen on multiple chains.”
ParaSwap was quick to respond to the posts, confirming that it was looking into the incident. “We’re investigating, but the address has no power after the deployment. Just paid the gas and retired. Profanity addresses usually have trailing zeros,” the team wrote.
Supremacy Inc. included an Etherscan link to ParaSwap’s deployer contract address. The wallet’s transaction history shows that someone with access to its private key made several transfers across Ethereum, BNB Chain, and Fantom earlier this morning, though they only withdrew a few hundred dollars in each transaction. Notably, the ParaSwap team did not confirm that it made the transactions in its response, nor did it deny any vulnerability.
Several members of the crypto community weighed in on Supremacy Inc.’s post shortly after it went live. “Still not as bad PR as the airdrop,” said UpOnly co-host Cobie, referring to ParaSwap’s divisive 2021 token airdrop, which used a strict distribution model that excluded many loyal users. PSP suffered shortly after the airdrop and never recovered; per CoinGecko data, it’s about 98.8% short of its all-time high today.
Update: In a follow-up tweet, ParaSwap said that it had found no sign of an exploit. “No vulnerability found! We’ll follow up with analysis & an explanation of what’s a deployer address and how we made sure they have no power at all!”
Editor’s note: An earlier version of this article incorrectly stated that ParaSwap’s contract address held 1.8 billion PSP tokens. It’s since been updated.
Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.