🚨 SCAM ALERT: Malicious ‘EVIL’ Token Manipulates accounting to Drain ~$305K from mySwap CL Pools

Exploit Summary Table

Incident Overview

A critical exploit hit the mySwap decentralized exchange on Starknet, resulting in a loss of roughly $305,000 from its Concentrated Liquidity (CL) pools. This was a real, permissionless smart contract exploit rather than a project rug pull. The attacker successfully deployed a malicious token explicitly named “EVIL” to trick the protocol’s internal accounting mechanics into releasing legitimate user assets.

How the Exploit Worked: The “Shared Vault” Trap

Many modern Decentralized Exchanges (DEXs) utilize a “Shared Vault” architecture. Instead of every single token pair having its own isolated smart contract, all user assets (ETH, USDC, USDT, STRK) are escrowed inside one massive central vault contract to optimize gas fees.

The attacker weaponized this architecture through a multi-step accounting exploit:

• Step 1: The Token Deployment: Because decentralized networks are permissionless, anyone can launch a token. The attacker minted a fake asset called EVIL and created a Concentrated Liquidity pool paired against a legitimate asset.
• Step 2: The Accounting Manipulation: By interacting with the public math entry points of the mySwap CL pool contract, the attacker triggered an internal calculation flaw. They inflated the internal “virtual balance” or accounting credit of the EVIL token inside the pool without depositing equivalent value.
• Step 3: The Vault Drain: The core protocol contract was tricked into believing the attacker had earned immense liquidity credits. The attacker then executed a withdrawal, but instead of taking back their worthless EVIL tokens, the broken internal ledger allowed them to extract the vault’s shared pool of blue-chip retail assets: 137.96 ETH, 45K USDC, 19.9K USDT, and 230K STRK.

🛡️ SHIELDGUARD LEARN: Defensive Steps for Retail Liquidity Providers

This exploit exposes an uncomfortable truth for DeFi yield farmers: Your capital can be exposed to risks from pools you never even touched. If you were providing liquidity to a “safe” ETH/USDC pool, your actual tokens were sitting in the same master vault as the attacker’s fake “EVIL” token.

When farming yields in a shared-vault AMM environment, use these retail protective rules:

1. Identify “Shared Vault” vs. “Isolated Pair” Architectures

Before depositing assets into a liquidity pool, look at the protocol’s structure.

• Isolated Pools (e.g., Uniswap V2 style): Each trading pair lives in its own standalone contract. If a fake token pair gets exploited, only the liquidity inside that specific pool is lost. The rest of the exchange remains untouched.
• Shared Vaults (e.g., Balancer, core L2 DEXs): All assets are pooled together. If a protocol-level accounting bug is found, the entire protocol’s TVL can theoretically be breached.
• Action: If you are risk-averse, favor isolated pool architectures or protocols that have undergone rigorous multi-signature vault state audits.

2. Monitor “Permissionless Pool Creation” Rules

If an exchange allows anyone to create a Concentrated Liquidity pool with any unverified token, the code handling those pools must treat external tokens with absolute zero trust. If a platform rushes to ship a Concentrated Liquidity upgrade without strict asset isolation or architectural firewalls, treat early-stage deployment phases as high-risk testing zones.

3. Diversify Your Yield Venues

Never park 100% of your idle stablecoins or layer-1 assets inside a single decentralized exchange’s vault architecture. Spreading your deployment across multiple separate protocols isolates your systemic risk; a single accounting exploit on one protocol won’t completely compromise your entire digital security perimeter.

🛡️ Secure Your Web3 Journey with ShieldGuard Protocol

Navigating permissionless DeFi networks requires institutional-grade oversight. ShieldGuard Protocol Ltd (UK Registration Number: 16580081) acts as your central defense hub, translating complex on-chain anomalies into actionable defensive blueprints for everyday investors.

By becoming a ShieldGuard premium member, you gain access to:

• 🎓 Advanced DeFi Forensics: Learn how to read contract tracking platforms, identify architectural vault risks, and protect your address book from malicious contract interactions.
• 💸 Vetted Frameworks: Skip unverified, high-risk testing environments. Access thoroughly audited, defensive passive income frameworks vetted by security experts.
• 🪂 ShieldLabs Priority Drops: Secure priority allocations and early tokens from security-first, next-generation Web3 networks.

Stop guessing which pools are safe. Build your defensive perimeter today.

👉 Claim Your ShieldGuard Membership Now