According to a post-mortem report published by the team on the official Discord channel of the project on February 17, the multichain exchange aggregator Dexible has been compromised by an exploit, and as a direct consequence, $2 million worth of bitcoin has been stolen.
As of 17 February, 6:35 pm UTC, the front end of Dexible displays a popup warning about the hack anytime users visit to it.
The team said at 6:17 am UTC that it had found “a possible hack on Dexible v2 contracts” and was looking into the matter at the time. A second statement was issued around nine hours later, in which it was said that the company now knew that “$2,047,635.17 was exploited from 17 trading addresses.” 4 on mainnet, 13 on arbitrum.”
A post-mortem report was provided as a PDF file at 4:00 pm UTC and made available on Discord. The team also said that it was “currently working on a repair plan.”
The organization stated in the report that it became aware that something was amiss when one of its founders had crypto assets worth $50,000 transferred out of his wallet for reasons that were unclear at the time. The reasons for this move were unknown at the time. Following their investigation, the team came to the conclusion that an adversary had utilized the selfSwap feature of the app to steal almost $2 million worth of cryptocurrency from users who had previously given permission for the program to transfer their tokens.
Users were able to make a trade of one token for another by using the selfSwap function, which required them to provide the address of a router and the calldata connected with it. However, the code did not include a list of routers that had already been reviewed and authorized. In order to move users’ tokens from their wallets into the attacker’s own smart contract, the attacker utilized this method to route a transaction from Dexible to each token contract. Token contracts did not put a stop to these potentially dangerous transactions since they originated from Dexible, which users had already given permission to use their tokens.
After receiving the tokens into their own smart contract, the attacker withdrew the coins using Tornado Cash and placed them in BNB (BNB) wallets that they did not aware about.
The execution of Dexible’s contracts has been halted, and the company has requested that users withdraw their token authorizations for such contracts.
The common practice of authorizing token approvals for large amounts can sometimes lead to losses for cryptocurrency users due to buggy or outright malicious contracts. As a result, some industry experts advise users to regularly revoke approvals in order to protect themselves from potential financial harm. Because the front ends of the majority of Web3 applications do not explicitly let users to alter the number of tokens granted, users often lose the whole of their token balance if it is discovered that an app has a security problem. Although MetaMask and other wallets have attempted to solve this issue by enabling users to alter token approvals during the wallet confirmation process, the majority of cryptocurrency users are still uninformed of the potential consequences of not taking use of this function.