On February 17, 2022, the multichain exchange aggregator Dexible was hacked, resulting in the loss of $2 million worth of cryptocurrency. Dexible released a post-mortem report on its official Discord server detailing the exploit.
The hack occurred as a result of a vulnerability in the selfSwap function, which was intended to allow users to provide their routing information. The code, however, did not restrict routers to a pre-approved list. In this article, we will delve deeper into the specifics of the attack, the post-mortem report, and what the incident means for the larger cryptocurrency community.
How the Attack Occurred
Dexible’s selfSwap function permitted users to provide a router address and its associated calldata to enable the swapping of tokens. However, the code did not restrict the router to a pre-approved list. As a result, the attacker exploited this vulnerability to route transactions from Dexible to token contracts. The attacker was able to transfer tokens from users’ wallets into their smart contract. Since the attacker was authorized by Dexible to use the tokens, the token contracts did not block the transactions.
Once the attacker had received the tokens, they transferred them to unknown BNB wallets via Tornado Cash. The hack was discovered when one of the founders noticed that $50,000 worth of cryptocurrency had been moved from their wallet without their knowledge. After investigating, the team discovered that the attacker had exploited the selfSwap function to move over $2 million worth of cryptocurrency from users who had previously authorized the app to move their tokens.
The Post-Mortem Report
Dexible released a post-mortem report on Discord detailing the incident. The report stated that the team was aware of a potential hack on the Dexible v2 contracts at 6:17 am UTC on February 17, 2022. At that point, the team began investigating the issue. Nine hours later, the team issued a statement that $2,047,635.17 worth of cryptocurrency had been exploited from 17 trader addresses, with four on the mainnet and 13 on Arbitrum.
The post-mortem report revealed that the selfSwap function did not limit routers to a preapproved list, which was the main cause of the hack. The team discovered that the attacker had used the function to move the tokens into their smart contract, leading to the loss of cryptocurrency for users. Dexible paused its contracts and urged users to revoke token authorizations for them.
Implications for the Cryptocurrency Community
The Dexible hack highlights the need for tighter security measures in the cryptocurrency industry. As the market continues to grow, so does the risk of hacks and exploits. With the value of cryptocurrencies increasing, hackers have become more motivated to target exchanges and users. This has resulted in many high-profile hacks, such as the $460 million hack of Poly Network in August 2021. The Poly Network hack was notable because the hacker returned the funds and worked with the platform to improve security.
The Dexible hack illustrates the importance of pre-approved router lists in smart contract code. By restricting the router list, Dexible could have prevented the attacker from exploiting the selfSwap function. In addition, the incident highlights the need for users to regularly revoke token approvals to minimize the risk of losing their tokens. Many users are not aware of this risk, and wallets and Web3 apps should do more to inform users about this issue.
Conclusion
In conclusion, the recent hack on the Dexible aggregator once again highlights the importance of security in the cryptocurrency industry. While the selfSwap function was intended to provide users with more flexibility and control over their transactions, the lack of preapproved routers made it vulnerable to exploitation.
The Dexible team has taken swift action to address the issue, pausing its contracts and urging users to revoke token authorizations. However, this incident serves as a reminder to all crypto users to exercise caution and vigilance when using DeFi apps and to regularly review and manage their token authorizations.
As the industry continues to evolve and new features and functions are introduced, it is crucial that developers prioritize security and take proactive measures to prevent exploits and hacks. Only by doing so can we create a safer and more secure environment for users to transact and invest in cryptocurrencies.
