DexibleApp aggregator hacked for $2M via 'selfSwap' function

Published at: Feb. 17, 2023

The multichain exchange aggregator DexibleApp has been hit by an exploit, and $2 million worth of cryptocurrency has been lost as a result, according to a Feb. 17 post-mortem report released by the team on the project’s official Discord server.

As of 6:35 p.m. UTC on Feb. 17, the DexibleApp frontend shows a popup warning about the hack whenever users navigate to it.

At 6:17 a.m. UTC, the team reported that they had discovered “a potential hack on Dexible v2 contracts” and were investigating the issue. Approximately nine hours later, they released a second statement that they “now know $2,047,635.17 was exploited from 17 trader addresses. 4 on mainnet, 13 on arbitrum.”

A post-mortem report was issued at 4 p.m. UTC as a pdf file and released on Discord, and the team said it was “actively working on a remediation plan.”

In the report, the team stated that it had noticed something was wrong when one of its founders had $50,000 worth of crypto moved out of his wallet for reasons that were unknown at the time. After investigating, the team found that an attacker had used the app’s selfSwap function to move over $2 million worth of crypto from users that had previously authorized the app to move their tokens.

The selfSwap function allowed users to provide the address of a router and calldata associated with it to make a swap of one token for another. However, there was no list of pre-approved routers written into the code. So, the attacker used this function to route a transaction from Dexible to each token contract, moving users’ tokens from their wallets into the attacker’s own smart contract. Because these malicious transactions were coming from Dexible, which users had already authorized to spend their tokens, the token contracts did not block the transactions.

Related: NFT influencer falls victim to cyberattack, loses $300K+ CryptoPunks

After receiving the tokens into their own smart contract, the attacker withdrew the coins through Tornado cash into unknown Binance Coin (BNB) wallets.

Dexible has paused its contracts and urged users to revoke token authorizations for them.

The common practice of authorizing token approvals for large amounts has sometimes led to losses for crypto users due to buggy or outright malicious contracts, leading some experts to warn users to revoke approvals on a regular basis. The frontends for most Web3 apps do not directly allow users to edit the amount of tokens approved, so users often lose the full balance of their tokens if an app turns out to have a security flaw. Metamask and other wallets have tried to fix this problem by allowing users to edit token approvals at the wallet confirmation step. But many crypto users are still unaware of the risk of not using this feature.

Tags
Cryptocurrency Exchange
Defi
Tokens
Dex
Related Posts
The DeFi craze continues as exchanges rush to list popular tokens
OKEx is the latest cryptocurrency exchange to hop on the DeFi bandwagon. On August 28, they announced listings for eight different DeFi tokens, including Band Protocol (BAND), JUST (JST), REN, Reserve Rights (RSR), Yearn.finance (YFI), Nexus Mutual (wNXM), YFII.finance (YFII), and Tellor (TRB). These new listings expand their DeFi suite to a total of 27. OKEx’s CEO, Jay Hao, praised the DeFi sphere, stating: “OKEx has been keenly observing the DeFi market dynamics and trying our best to collaborate with high-quality innovative DeFi projects that show the most potential. We are very encouraged to see so many excellent projects emerging …
Technology / Aug. 28, 2020
Fake Tokens Continue to Plague Uniswap
Fake coins continue to plague decentralized exchange Uniswap, with prominent crypto projects associated with upcoming token sales reporting impersonators trading on the platform. On August 19, upcoming decentralized finance (DeFi) lending protocol Teller Finance tweeted that a fake Teller token and Uniswap pool had been created. “Teller Labs has not made any official announcements on any potential, planned, or upcoming token launches.” The highly anticipated NEAR Protocol token sale also attracted impersonation scams in the lead-up to its commencement last week, tweeting that any NEAR tokens not officially sanctioned: “The only place for official word of NEAR tokens is near.org/tokens. …
Blockchain / Aug. 19, 2020
First steps: Basic tips for getting started investing in DeFi
Decentralized finance (DeFi) protocols have diversified investment opportunities in the crypto industry by facilitating novel and innovative passive income generation schemes. Delving a bit into how they work, DeFi systems are based on blockchain technology and run on programmable chains such as the BNB Chain and the Ethereum Network. The chains use decentralized peer-to-peer (P2P) finance architectures to cut out the middleman and enable lending, borrowing and liquidity provision. This leads to higher interest rates compared to those provided by regulated financial institutions such as banks. For perspective, many regulated banks provide interest rates of less than one percent per …
Decentralization / April 14, 2022
DeFi platforms see profits amid FTX collapse and CEX exodus
A week after the fallout from the FTX and Alameda chaos some on-chain data points are interesting to observe. Although record amounts of Bitcoin (BTC) and Ethereum (ETH) volume are leaving the exchanges, not all decentralized applications (DApps) and protocols have shown growth, mainly due to reliance on FTX and Alameda. DeFi earnings highlight positive revenue for some protocols According to Token Terminal’s earnings leaderboard, in the last 7-days, three protocols had revenue above $1 million. Ethereum led the on-chain earnings with over $8.5 million total, a sign of strong post-Merge fundamentals. OpenSea was a distant second place to Ethereum, …
Bitcoin Price / Nov. 16, 2022
A CEX-like DEX: an Interview with Polkadex CEO Gautham J
DeFi is rife with great ideas capable of rebalancing financial power dynamics. However, so far, these ideas have proven hard to implement in sustainable and convenient ways. Take the DEX, or decentralized exchange — this is a cornerstone of DeFi and a place where users are able to trade with each other without sacrificing control over their funds or having to pay exorbitant fees. On paper, it sounds ideal. But when you look at the major DEXes, they are not convenient. DEXes have become synonymous with high transaction fees, long wait times, low network interoperability and manipulation issues. Enter Polkadex. …
Blockchain / Nov. 17, 2022