Decentralized finance (DeFi) protocol WDZD Swap was exploited on May 19 for $1.1 million worth of Binance-Pegged Ether, according to a May 21 report from blockchain security firm CertiK. Binance-Pegged Ether represents Ether (ETH) that has been bridged to BNB Smart Chain (BSC).

According to the report, an attacker conducted nine malicious transactions that drained 609 Binance-Pegged ETH, worth $1.1 million at the time of the attack, from a contract associated with the WDZD project.

WDZD claims to be a DeFi project that runs on BSC. It is promoted by the Twitter account @DZDDAO, which has over 86,000 followers. The Telegram channel linked to this account also has 28,000 members. Cointelegraph could not verify how the protocol is supposed to work, and CertiK stated it is “not 100% on all the mechanics of the project.” However, the user interface for the app implies that it can be used to farm a token called “WDZD” in exchange for staking ETH.

WDZD Swap interface. Source: WDZD Swap

In a May 24 conversation with Cointelegraph, a representative from CertiK reported that WDZD may have also been sold to users for Binance-Pegged ETH as part of an initial DEX offering (IDO). CertiK shared an image of what appears to be a WDZD advertisement for an IDO.

WDZD advertisement. Source: CertiK

The BSC address at the bottom of the advertisement is 0xb75ac203c6fcba8d06659cd9c25a343598c6b627. Blockchain data shows that hundreds of transfers of ETH were made into this account. The account also transferred 460 ETH to another address, where it was then used in an “Add Liquidity” function call. This call is often used to deposit an asset to a liquidity pool in exchange for LP tokens.

Blockchain data shows that the deposited 460 ETH ended up in the “Swap LP” contract at BSC address 0xe0c352c56af65772ac7c9ab45b858cb43d22f28f.

On May 19, a known exploiter labeled “Fake_Phishing750” created the contract that later drained the tokens from the protocol. Fake_Phishing750 was responsible for an attack on another protocol called “Swap X,” CertiK stated.

Once the malicious contract was created, the attacker used it to perform nine transactions that drained $1.1 million of ETH from the Swap LP contract where the ETH had been deposited.

The Swap LP contract is unverified by BSCScan, which means that human-readable code for it is unavailable, making it difficult to determine exactly how the attacker drained the funds. However, CertiK claimed that the attacker could transfer WDZD tokens to the protocol’s factory address through an unverified function call. This WDZD was then swapped for LP tokens, which, in turn, were redeemed for the underlying ETH.

“The attacker manipulated a low-level call in the Swap-LP factory address which triggered the 0x33604058 function of the SwapLP Pair,” the report stated. “This resulted in the transfer of all WDZD tokens in the pair to the factory address. Consequently, the attacker was able to acquire a larger number of SWAP LPs from the unverified address 0x3c4e06d17e243e2cb2e4568249b6f7213c43c743, using fewer WDZD and subsequently burning the LPs for profit.”

Related: Project takes off with $31.6M in alleged exit scam

Cointelegraph attempted to contact WDZD Swap through the team’s Telegram channel. However, the channel produced a “sending messages is not allowed in this group” error message, indicating that it may have been set to only allow admin posts.

Hacks, scams and rug pulls have plagued the crypto community in 2023. On April 24, Ordinals Finance allegedly performed a rug pull, draining over $1 million in assets from the protocol’s contracts. On May 2, another $1 million was lost when an attacker exploited a bug in a Level Finance contract.

CertiK reported in May that losses from exploits declined in the first quarter, but the company also stated that this was probably a “temporary reprieve.”