Key Highlights
- Attackers used a fake token (“EVIL”) to trick mySwap’s liquidity pool system and drain about $300K–$305K in assets.
- The exploit targeted smart contract math flaws, allowing stolen funds like ETH, USDC, USDT, and STRK to be moved and later hidden using Railgun.
- The incident adds to a series of DeFi exploits in 2026, with hundreds of millions of dollars lost through smart contract and bridge vulnerabilities.
mySwap, a decentralized exchange on Starknet, was exploited on Friday, with about $300,000 to $305,000 drained from its concentrated liquidity (CL) pools, according to blockchain security firm F12 Security.
In a post on X, F12 Security said the attacker went after the protocol’s liquidity system instead of attacking users directly. “Attacker deployed a fake “EVIL” token to manipulate the pool accounting and drain the shared vault: 137.96 ETH, 45K USDC, 19.9K USDT, 230K STRK,” the security firm wrote.
How the exploit happened
The exploit occurred at around 7:15 am UTC and affected the remaining funds still sitting inside the platform. According to F12 Security, the attacker created and introduced a fake token called “EVIL” into the mySwap liquidity pools.
Once the token was accepted by the system, it started to confuse how the protocol calculates prices and balances inside the pool. In short, the system began to “trust” the fake token as if it were real and valuable. This opened a gap in the math used by the smart contracts. The attacker used that gap to slowly pull real money out of the pool without needing any special admin access or stolen keys.
F12 Security reported that the attacker stole about 137.96 ETH, 45,000 USDC, 19,900 USDT, and 230,000 STRK.
After draining the funds, the attacker reportedly bridged the stolen assets across different networks. They also used Railgun to obscure transaction trails, which made it harder to track where the assets moved afterward.
mySwap confirms the exploit
Following the exploit, mySwap confirmed the incident in an X post, explaining that the platform interface had already stopped accepting new liquidity for more than six months. However, the system still had leftover liquidity spread across more than 100,000 small liquidity positions, and those were the ones affected.
The team confirmed that almost all remaining liquidity inside the system was drained during the attack. Even though the platform was no longer actively growing, it still had locked funds sitting in smart contracts, and those became the target.
DeFi exploits continue across the sector
The incident adds to a growing number of DeFi exploits this year. A day ago, PeckShieldAlert reported an exploit on Aztec Network’s private rollup bridge, which led to a loss of about $2.165 million, including 1,158 ETH, 150,000 DAI, and a small amount of renBTC. According to the report, the attacker was initially funded with 0.134 ETH from HitBTC before carrying out the exploit.
Earlier today, Axelar also reported a separate issue affecting assets bridged to Secret Network. Around $4.67 million worth of tokens were taken due to a problem in the smart contract system used in cross-chain transfers.
In short, a clear pattern is forming in the DeFi space. Many of the biggest losses this year did not come from breaking blockchain security itself. Instead, they came from mistakes in smart contract logic, especially in how systems handle the math of token trust.
According to the figures cited, losses from similar exploits had reached approximately $328 million as of mid-May 2026. Reported incidents include the $292 million KelpDAO–LayerZero exploit, the $285 million Drift Protocol exploit, the $10.8 million THORChain exploit, and the $11.58 million Verus Protocol incident.
Also Read: $2.1M Exploit Hits Thetanuts: Inside the Latest DeFi Flash Loan
