BlockSec releases a major vulnerability analysis of closed-source contracts: SwapNet and Aperture Finance suffered an attack due to insufficient input validation, resulting in a loss of 17 million dollars

BlockSec released a significant vulnerability analysis of a closed-source contract, detecting a series of suspicious transactions targeting victim contracts deployed on Ethereum, Arbitrum, Base, and BSC for SwapNet and Aperture Finance, with total losses exceeding $17 million.

Fundamentally, the root cause of both incidents is quite simple: the victim contracts have arbitrary call vulnerabilities due to insufficient input validation, allowing attackers to exploit this vulnerability to misuse existing token allowances and perform transferFrom to steal assets.

Although the SwapNet and Aperture Finance incidents affected different protocols and blockchains, the fundamental issues in both cases are not complex: user-controlled underlying calls and insufficient input validation in contracts holding token allowances.