According to the autopsy report published by the team on the official Discord server on February 17, the multi-chain exchange aggregator DexibleApp was exploited, resulting in the loss of $2 million worth of cryptocurrency.
As of 18:35 UTC Feb 17, the DexibleApp interface shows a hack warning popup whenever users navigate to it.
At 6:17 AM UTC, the team reported that they had discovered a “potential hack in Dexible v2 contracts” and were investigating the issue. Approximately nine hours later, they released a second statement that “they now know that $2,047,635.17 was used from the addresses of 17 traders. 4 in mainnet, 13 in arbitrage.”
The autopsy report was released at 4:00 pm UTC as a pdf file and posted on Discord, with the team saying they are “actively working on a fix plan”.
In the report, the team said they noticed something amiss when one of its founders withdrew $50,000 worth of cryptocurrencies from his wallet for reasons unknown at the time. Upon investigation, the team discovered that the attacker had used the app’s selfSwap feature to move more than $2 million worth of cryptocurrencies from users who had previously allowed the app to move their tokens.
The selfSwap feature allowed users to specify a router address and associated call data to exchange one token for another. However, the list of pre-approved routers was not written in the code. So, the attacker used this feature to route a transaction from Dexible to each token contract, moving users’ tokens from their wallets to the attacker’s own smart contract. Since these malicious transactions originated from Dexible, whose users had already allowed their tokens to be spent, the token contracts did not block the transactions.
NFT Influencer Victim of Cyber Attack Loses Over $300k CryptoPunks
Having received the tokens in his own smart contract, the attacker withdrew the coins via Tornado cash to unknown Binance Coin (BNB) wallets.
Dexible has suspended its contracts and urged users to revoke token authorization for them.
The common practice of claiming large amounts of tokens has sometimes led to losses for cryptocurrency users due to erroneous or outright malicious contracts, leading some experts to warn users to revoke approvals on a regular basis. The interfaces for most Web3 applications do not allow users to directly edit the number of approved tokens, so users often lose their entire balance of their tokens if a security breach is discovered in the application. Metamask and other wallets have tried to solve this problem by allowing users edit approval of tokens at the stage of wallet confirmation. But many crypto users still don’t realize the risk of not using this feature.
Credit : cointelegraph.com
