Cross-chain exchange aggregator DexibleApp has been attacked by an exploit, resulting in $2 million worth of cryptocurrency being lost, according to a post-mortem report posted Feb. 17 by the team on the official Discord server of the project.
As of 6:35pm UTC on February 17, the DexibleApp frontend displays a popup warning about the hack whenever users navigate through it.
At 6:17 a.m. UTC, the team reported that they had discovered “a possible hack in Dexible v2 contracts” and they were investigating the problem. Approximately nine hours later, they released a second statement stating that they “now know that $2,047,635.17 has been mined from 17 trader addresses. 4 on mainnet, 13 on arbitrum.”
A post-mortem report was issued at 4pm UTC as a pdf file and posted on Discord, and the team said it was “actively working on a remediation plan.”
In the report, the team stated that it realized something was wrong when one of its founders had $50,000 worth of cryptocurrency removed from his portfolio for reasons unknown at the time. Upon investigation, the team discovered that an attacker had used the app’s selfSwap feature to move more than $2 million worth of cryptocurrency from users who had previously authorized the app to move their tokens.
The selfSwap function allowed users to provide the address of a router and the call data associated with it to perform an exchange of one token for another. However, the code did not include a list of pre-approved routers. Thus, the attacker used this feature to route a transaction from Dexible to each token contract, moving users’ tokens from their wallets into the attacker’s own smart contract. Because these malicious transactions came from Dexible, which users had already authorized to spend their tokens, the token contracts did not block the transactions.
After receiving the tokens in his own smart contract, the attacker withdrew the coins via Tornado cash to unknown Binance Coin (BNB) wallets.
Dexible has put its contracts on hold and urged users to revoke token authorizations for them.
The common practice of authorizing large amounts of token approvals has sometimes led to losses for cryptocurrency users due to buggy or outright malicious contracts, leading some experts to warn users to revoke approvals on a regular basis. . The interfaces of most Web 3.0 applications do not directly allow users to edit the number of approved tokens, so users often lose their entire token balance if an application turns out to have a security flaw. Metamask and other wallets have attempted to address this issue by allowing users to edit token approvals at the wallet confirmation step. But many cryptocurrency users are still unaware of the risk of not using this feature.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.