- Dexible, a multichain exchange aggregator, had $2M worth of cryptocurrency stolen via an exploit.
- The attack was made possible by the selfSwap function which allowed users to provide their own routing information without being limited to a preapproved list.
- Dexible has paused its contracts and urged users to revoke token authorizations for them.
Dexible Aggregator Hacked for $2M
An exploit in the multichain exchange aggregator Dexible has resulted in the loss of $2 million worth of cryptocurrency. The attack was made possible through a buggy ‘selfSwap’ function that did not limit routers to a preapproved list.
Details of Attack
At 6:17 am UTC on Feb. 17, the team reported that it had discovered “a potential hack on Dexible v2 contracts” and was investigating the issue. Approximately nine hours later, it released a second statement that it now knew “$2,047,635.17 was exploited from 17 trader addresses. 4 on mainnet, 13 on arbitrum.”A post-mortem report was issued at 4:00 pm UTC as a PDF file and released on Discord, and the team said it was “actively working on a remediation plan.”In the report, the team states that it had noticed something was wrong when one of its founders had $50,000 worth of crypto moved out of his wallet for reasons that were unknown at the time. After investigating, they found that an attacker had used the app’s selfSwap function to move over $2 million worth of crypto from users that had previously authorized the app to move their tokens. The selfSwap function allowed users to provide their own routing information without being limited to a preapproved list. So, by using this function maliciously, attackers could route transactions from Dexible into their own smart contract and withdraw coins through Tornado Cash into unknown BNB (BNB) wallets.
Dexible has paused its contracts and urged users to revoke token authorizations for them as part of its remediation plan. This action is intended to prevent similar attacks from occurring again in future by limiting token transfers only between approved networks or routers.
This incident serves as an important reminder about security best practices when dealing with cryptocurrency transactions involving large amounts of money – authorization should always be granted carefully and only after thorough vetting procedures have been completed first. Additionally, developers should ensure there are appropriate safeguards in place when coding functions such as ‘selfSwap’ features so that user data is not vulnerable to exploitation by malicious actors.
As cryptocurrencies become more widely adopted around the world many exchanges like Dexible will continue popping up – making sure these platforms are secure is essential if we want people to trust them with their money. It’s important for all stakeholders involved in developing these platforms – from developers writing code through entrepreneurs launching new products – remain vigilant about cybersecurity threats and take measures accordingly so similar incidents can be avoided in future