mySwap CL Exploit: $305KDrained via Fake EVIL Token Accounting Flaw

• Incident Date: June 19, 2026
• Target: mySwap CL protocol on Starknet
• Target Overview: mySwap is a Starknet decentralized exchange and AMM. The affected mySwap CL protocol was its concentrated-liquidity product; mySwap said the interface had been closed to new liquidity for more than six months, leaving mostly residual LP positions spread across more than 100,000 positions.
• Total Loss: Approximately $305,000 reported loss; mySwap's initial security update rounded the drain to ~$300,000.
• Reported Stolen Assets: Approximately 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK.
• Reported Fund Flow: mySwap said the attacker bridged the stolen funds and used Railgun to obfuscate the asset trail.
• Attack Vector: Smart-contract logic flaw / fake-token validation and concentrated-liquidity accounting failure

---

Incident Review & Technical Details

1. Attack Path

1. Residual CL liquidity remained callable on-chain: mySwap said the interface had been closed to new liquidity for more than six months, but residual LP positions still existed across more than 100,000 positions. That left value in a semi-retired protocol surface even though ordinary new liquidity entry had already been shut down.
2. A fake EVIL token entered the accounting path: Intellectia reported that the attacker used a fake token named EVIL to exploit mySwap's concentrated-liquidity pools. The reviewed sources did not disclose the vulnerable function or transaction trace, so this should be treated as a high-level reconstruction rather than a final root-cause postmortem.
3. Concentrated-liquidity accounting accepted a bad asset boundary: The reported failure mode indicates that the protocol's accounting path did not sufficiently bind pool assets, position accounting, and withdrawable vault balances to trusted token contracts. That let fake-token state influence access to real pooled assets.
4. Real assets were drained from remaining liquidity: Public reporting placed the affected assets at approximately 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK, for a combined reported value of about $305,000.
5. Funds were moved off the original path: mySwap said the attacker bridged the stolen funds and used Railgun to obfuscate the flow of assets. The team also said the exploit drained nearly all remaining liquidity from the protocol.

2. Impact Scope

• Protocol-Level Loss: The canonical loss figure for this post is approximately $305,000, while the official mySwap statement rounded the incident to ~$300,000.
• Affected Component: The affected component was mySwap CL, the concentrated-liquidity protocol on Starknet, not a reported front-end, private-key, or governance compromise.
• Affected Liquidity: mySwap said the affected balances were mostly residual LP positions spread across more than 100,000 positions.
• Affected Assets: Public reporting identified the stolen assets as approximately 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK.
• Fund-Flow Risk: Bridging plus Railgun obfuscation reduces near-term recovery visibility and increases the need for exchange, bridge, and analytics coordination.
• Disclosure Gap: The reviewed sources did not identify the exploit transaction, attacker address, victim contract, affected pool list, patch diff, reimbursement plan, or final technical postmortem at the time of writing.

3. Official Statements

• mySwap: mySwap disclosed that the mySwap CL protocol was exploited at 07:15 UTC on June 19, 2026, resulting in approximately $300,000 being drained from liquidity pools. The team said the interface had been closed to new liquidity for more than six months and that remaining balances were mostly residual LP positions.
• mySwap on Fund Flow: mySwap said the attacker bridged stolen funds and used Railgun to obfuscate the asset flow, and that the exploit drained nearly all remaining liquidity from the protocol.
• PANews: PANews summarized the same official disclosure on June 20, 2026, emphasizing the residual LP-position exposure and Railgun-obfuscated fund flow.
• Intellectia: Intellectia reported the more granular $305,000 figure, described the fake EVIL token angle, and listed the affected asset mix as 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK.

4. Investigation Progress

The public record is enough to classify the incident as a smart-contract accounting failure affecting mySwap CL's residual liquidity, but not enough to name the exact vulnerable function or prove the full transaction path. The most important follow-up is whether all CL entrypoints that can touch residual liquidity have been paused, patched, or migrated, and whether LP balances have been snapshotted for remediation.

Recommended response steps for mySwap-style concentrated-liquidity systems:

• Publish the exploit transaction, attacker address, affected contracts, impacted pool list, and final asset-by-asset accounting.
• Reconstruct the fake-token path on a fork and convert it into regression tests covering pool creation, position minting, token binding, liquidity removal, and vault withdrawals.
• Enforce strict asset binding between pool configuration, token contracts, position IDs, vault balances, and withdrawable assets.
• Inventory semi-retired or UI-disabled protocol surfaces that still hold residual value and remain callable directly on-chain.
• Add monitoring for untrusted token symbols, unexpected pool-token relationships, abnormal residual-liquidity withdrawals, bridge exits, and Railgun-adjacent fund movements.
• Communicate whether affected LPs will receive reimbursement, claim contracts, or migration support after the remaining balance snapshot is finalized.

---

AUTOSEC.DEV Solution

The mySwap CL exploit shows how a closed-to-new-liquidity product can still carry exploitable residual value if token validation and liquidity accounting are not hardened end to end.

1. Secure Code Review - The reported fake EVIL token path points to a failure in token binding and concentrated-liquidity accounting, not a simple UI issue. AUTOSEC.DEV reviews smart-contract invariants around pool asset configuration, position ownership, vault balance accounting, and withdrawal authorization to catch fake-asset and wrong-token assumptions before they reach mainnet.
2. Penetration Testing - mySwap CL had been closed to new liquidity for more than six months, but direct on-chain interactions still mattered because residual LP value remained. We reproduce attacker workflows on forks, including counterfeit token inputs, legacy entrypoints, residual pool withdrawals, and bridge-ready exit paths, so teams can validate controls under realistic transaction pressure.
3. Incident Response - Because mySwap reported bridging and Railgun obfuscation, the response needs more than a patch. AUTOSEC.DEV supports exploit reconstruction, LP impact scoping across large position sets, fund-flow tracing, bridge and exchange coordination, disclosure support, and remediation evidence review.

Service Links

• AUTOSEC.DEV - Secure Code Review
• AUTOSEC.DEV - Penetration Testing
• AUTOSEC.DEV - Incident Response

---

Reference

• https://x.com/mySwapxyz/status/2067941891010711560