mySwap’s concentrated liquidity pools on Starknet were drained for roughly $305,000 after an attacker deployed a fake token and used it to manipulate pool accounting. The mySwap exploit invol
mySwap’s concentrated liquidity pools on Starknet were drained for roughly $305,000 after an attacker deployed a fake token and used it to manipulate pool accounting.
The mySwap exploit involved a fake token named EVIL, which was used to distort the accounting path tied to the protocol’s CL pools and shared vault. The drained assets were listed as 137.96 ETH, 45,000 USDC, 19,900 USDT and 230,000 STRK.
The attack was not framed as a private-key compromise or an admin-level failure. It was a permissionless exploit against live DeFi logic, where the attacker used a malicious token interaction to pull real assets from a vault that held liquidity across multiple pools.
mySwap operates as a Starknet DEX, with concentrated liquidity pools designed to let liquidity providers place funds into narrower price ranges. That model can improve capital efficiency, but it also makes the internal accounting layer more important because the protocol must keep pool balances, vault balances and liquidity-provider claims aligned through every deposit, swap and withdrawal.
The EVIL token appears to have become the entry point into that accounting layer. Instead of simply trading a worthless token, the attacker used it to influence how the CL pool system recognized balances and released assets from the shared vault.
The result was a cross-asset drain. ETH, USDC, USDT and STRK were removed even though the fake token was the tool used to open the path. That is the central risk in this kind of exploit: one bad token interaction can affect real pool assets if validation and accounting boundaries are not strict enough.
The mySwap incident is smaller than the largest DeFi exploits this year, but the mechanism makes it important for Starknet liquidity providers. Concentrated liquidity systems depend on accurate state updates. A fake token should not be able to confuse pool accounting or create a route into a shared vault holding real assets.
The pattern sits close to other recent DeFi failures where accounting logic became the weak point. The Thetanuts legacy vault exploit showed how vault math can break under edge-case conditions, while the Base Safe integration drain showed how one exposed execution path can move funds quickly when permissions and asset flow line up against the holder.
mySwap’s case is different because it centers on a malicious token created for the attack, not a legacy vault or a Safe integration. The shared theme is that complex DeFi systems often fail where assets, accounting and permissions meet.
The best current loss estimate remains roughly $305,000 across ETH, USDC, USDT and STRK. No confirmed recovery, reimbursement plan or full mySwap postmortem had been published alongside the first public technical breakdown.
The first public read identifies a fake EVIL token, manipulated CL pool accounting and a shared-vault drain on Starknet. The incident remains at the alert stage until mySwap publishes its own postmortem or response.
The post mySwap Loses $305K On Starknet After Fake EVIL Token Abuses CL Pool Accounting appeared first on Crypto Adventure.
