A post-mortem report by the team published on the official Discord channel on February 17 by the project. It states that Dexible, a multichain exchange aggregator, was compromised by an exploit and $2 million in bitcoin has been stolen.
Dexible’s front end now displays a warning message about hacking every time users visit it.
The team announced at 6:17 UTC that they had discovered “a possible attack on Dexible contracts” and that they were investigating the matter. A second statement was issued nine hours later. It stated that the company knew that $2,047.635.17 was being exploited via 17 trading addresses. 4 on mainnet, 13 on arbitrum.”
The post-mortem was available as a PDF at 4:00 UTC and made accessible on Discord. It also stated that the team was currently working on a plan for repair.
According to the report, the organization said that it was made aware of the problem when one of its founders had cryptocurrency assets in excess of $50,000 stolen from his wallet. The reasons for this move were not clear at the time. This move was unknown at the time. After conducting an investigation, the team found that an adversary had used selfSwap to steal approximately $2 million worth cryptocurrency from users who previously gave permission for the program’s transfer of their tokens.
By using the selfSwap function users could trade tokens for another. They had to give the address of a router as well as the calldata. The code didn’t contain a list or routers that had been approved and reviewed. To move tokens from users’ wallets to the attacker’s smart contract, the attacker used this method to route a Dexible transaction to each token contract. Because these potentially dangerous transactions originated from Dexible (which users had already granted permission to use their tokens), token contracts didn’t stop them.
The attacker received the tokens and created a smart contract. He then used Tornado Cash to withdraw them and placed them into BNB (BNB), wallets that they were not aware of.
Dexible has halted execution of its contracts and requested that users withdraw token authorizations to such contracts.
Users of cryptocurrency may experience losses due to malicious or buggy contracts if token approvals are granted for large amounts. Industry experts recommend that users regularly revoke authorizations to avoid financial loss. Web3 applications don’t permit users to modify the tokens granted. Users can often lose all of their token balances if they discover a security flaw in an app. However, MetaMask Although other wallets have attempted solutions by allowing users the ability to change token approvals during wallet confirmation, the majority are unaware of the potential negative consequences of not using this function.