DexibleApp aggregator hacked for $2M via ‘selfSwap’ function

The multichain exchange aggregator DexibleApp has been hit by an exploit, and $2 million worth of cryptocurrency has been lost as a result, according to a Feb. 17 post-mortem report released by the team on the project’s official Discord server.

As of 6:35 p.m. UTC on Feb. 17, the DexibleApp frontend shows a popup warning about the hack whenever users navigate to it.

At 6:17 a.m. UTC, the team reported that they had discovered “a potential hack on Dexible v2 contracts” and were investigating the issue. Approximately nine hours later, they released a second statement that they “now know $2,047,635.17 was exploited from 17 trader addresses. 4 on mainnet, 13 on arbitrum.”

A post-mortem report was issued at 4 p.m. UTC as a pdf file and released on Discord, and the team said it was “actively working on a remediation plan.”

In the report, the team stated that it had noticed something was wrong when one of its founders had $50,000 worth of crypto moved out of his wallet for reasons that were unknown at the time. After investigating, the team found that an attacker had used the app’s selfSwap function to move over $2 million worth of crypto from users that had previously authorized the app to move their tokens.

The selfSwap function allowed users to provide the address of a router and calldata associated with it to make a swap of one token for another. However, there was no list of pre-approved routers written into the code. So, the attacker used this function to route a transaction from Dexible to each token contract, moving users’ tokens from their wallets into the attacker’s own smart contract. Because these malicious transactions were coming from Dexible, which users had already authorized to spend their tokens, the token contracts did not block the transactions.

Related: NFT influencer falls victim to cyberattack, loses $300K+ CryptoPunks

After receiving the tokens into their own smart contract, the attacker withdrew the coins through Tornado cash into unknown Binance Coin (BNB) wallets.

Dexible has paused its contracts and urged users to revoke token authorizations for them.

The common practice of authorizing token approvals for large amounts has sometimes led to losses for crypto users due to buggy or outright malicious contracts, leading some experts to warn users to revoke approvals on a regular basis. The frontends for most Web3 apps do not directly allow users to edit the amount of tokens approved, so users often lose the full balance of their tokens if an app turns out to have a security flaw. Metamask and other wallets have tried to fix this problem by allowing users to edit token approvals at the wallet confirmation step. But many crypto users are still unaware of the risk of not using this feature.

All Dutch and English crypto news!

Bitcoiners betalen maar liefst 2,4 miljoen dollar voor halving blok

Vannacht vond de Bitcoin halving plaats, op het moment dat blok 840.000 toegevoegd werd, ging de beloning voor miners omlaag. Bitcoiners wilden maar al te...

Pro-XRP lawyer requests to be amicus curiae for Coinbase customers

Pro-XRP lawyer John Deaton says the urge to protect the customers "isn't about crypto," but more so about protecting the people that want to "build...

Bitcoin halving hype breaks week-long ETFs outflow streak

Five of the 10 approved ETFs recorded positive inflows that overshadowed the GBTC outflows, bringing in a total of $30.4 million to the spot BTC...

Where will Bitcoin’s price be at the next halving in 2028?

Experts say the price of Bitcoin could top $200,000 by 2028 but concerns around network security and miner profitability still loom. News Own this piece of crypto...

Beste exchanges

Koop je crypto bij Bitvavo