The decentralized exchange aggregator Dexible was the target of a $2 million attack early on Friday.
As of 6:35 PM UTC on February 17, whenever users use the Dexible front end, a pop-up alert regarding the vulnerability is displayed.
Using a bug in the smart contract code, the hacker was able to steal assets from cryptocurrency wallets containing funds that had been given permission to be used.
Dear Dexible community, we regret to inform you that in the early hours of February 17th, a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract.
— Dexible (@DexibleApp) February 17, 2023
1/5
At 6:17 am UTC, the team disclosed that it was investigating a possible compromise on Dexible v2 contracts. Almost nine hours later, it sent a second statement stating that it now knew $2,047,635. A small number of whales were responsible for about 85% of the losses.
Dexible reported that 13 Arbitrum wallets and 5 Ethereum wallets were impacted by the hack. The mining for these wallets is finished.
A post-mortem report was released as a PDF file and made accessible on Discord at around 4:00 PM UTC. The team added that it was putting the finishing touches on a corrective strategy.
The organization states in the report that it discovered an issue after discovering that one of its founders had $50,000 worth of cryptocurrencies taken out of his wallet for unknown reasons. A hacker transferred over $2 million in cryptocurrency from users who had previously granted the app access to transfer their tokens via the selfSwap feature.
By entering a router's address and the calldata attached to it, users might swap one token for another using the selfSwap function. The code did not, however, include a list of routers that had already received certification.
The attacker uses this technique to route a transaction from Dexible to each token contract, transferring user tokens from their wallets into the attacker's own smart contract. As the fraudulent transactions were coming from Dexible, which customers had previously given authorization to spend their tokens for, the token contracts were unable to halt them.
Dexible's chief executive, Michael Coon, stated:
“We have paused these contracts, while we get a full picture of the situation.”
Blockchain data indicates that BlockTower Capital, a firm that invests in digital assets, was one of the victims.
The wallet address connected to the Dexible exploiter on the blockchain monitoring platform Etherscan was used to empty a wallet claimed to belong to BlockTower by blockchain intelligence firm Arkham Intelligence of around $1.5 million in TRU tokens. The blockchain intelligence firm Nansen has also allocated a block address to BlockTower Capital.
The transactions on the Arkham blockchain show that the exploiter sent the thieved TRU tokens to SushiSwap in order to trade them for Ethereum (ETH). They then send ETH to TornadoCash, a service that combines several cryptocurrencies.