QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$1 530 000 USD
FEBRUARY 2023
GLOBAL
DEXIBLE DEX
DESCRIPTION OF EVENTS
"Dexible is a trading engine for pro traders to maximize profitability. Fully noncustodial set-and-forget orders on 6 major EVM chains across 60+ dexes."
"Dexible is a decentralized exchange (dex) aggregator and execution management system (EMS) optimizing full trade life-cycle support in DeFi. The platform offers pro traders and portfolio managers core atomic functionality out-of-the-box that vastly improves overall performance." "Dexible is more than a DEX aggregator. It's an Algo Execution Suite for maximizing profitability designed for the pros."
"Minimizes Price-Impact: Splits large orders into market impact minimizing rounds. Full Trade Lifecycle Support: Detailed pre-trade and post-trade analysis. Post-Order Analytics: View and export detailed trade history reports for reporting and analysis. Smart Order Routing: Taps into 60+ liquidity sources for optimal price discovery."
"Think of Dexible as a highly flexible dex aggregator with an execution layer modeled to resemble OEMS in CeFi & Traditional Finance. The platform scans all the available sources of liquidity on a particular blockchain to optimize outcomes for swaps. Dexible also checks dexes for their current pricing and available liquidity, among other on and off-chain conditions. When market conditions match the trader's criteria, orders get submitted through Dexible's Settlement Smart Contract, then calling out to one or more dex contracts to execute the actual trades."
"With Dexible, traders can enter and exit large positions in DeFi without fearing market manipulation or MEV. With radical financial innovation and growth comes radical investment returns and opportunity, leading to more institutional capital flooding into the ecosystem."
"A formal audit was not performed on the latest set of contracts. We had several community members and Dexible engineers review the code, and they did not find the vulnerability. The core engineer that created the contracts has over 25 years of software engineering experience, and he did not see the vulnerability. Upon reviewing one of the hacker's transactions, however, he immediately understood how it was executed."
"One feature of Dexible’s recently introduced v2 contracts allows users to define their own routing via the selfSwap function. Dexible’s post-mortem report (published via Telegram and Discord, in PDF format) explains:
embedded in each request to swap was a "route" of what DEX to call and what data to send to that DEX to execute a swap
However, the function does not check whether the router address is actually a DEX by, for example, using an on-chain allowlist:
the router address was not verified on-chain in any way. This meant that instead of calling a DEX smart contract, the hacker simply called a token contract with a request to "transferFrom" any account that had spend approval on the Dexible contract"
"The decentralised exchange aggregator, Dexible lost a total of $2M on Friday, on Ethereum and Arbitrum.
Although contracts were quickly paused, an official announcement came more than 9 hours after the hack, and over five hours after Peckshield raised the alarm.
The thread states that their tech lead “discovered the attack early on” but that the “Twitter channel was not able to respond in time”, despite various promotional tweets being published in the intervening hours."
"Relatively few addresses were affected, with the majority of losses reportedly coming from an address belonging to BlockTower Capital which lost 18M TRU tokens, valued at ~$1.4M at the time.
In total, approximately $1.5M was lost on Ethereum, and sent to Tornado Cash. A further $450k was lost on Arbitrum, which was bridged to BSC before also being washed via Tornado Cash."
"Dear Dexible community, we regret to inform you that in the early hours of February 17th, a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract."
"We are taking this very seriously, and our team immediately paused all Dexible contracts on all chains upon detecting the issue. Our users were affected, but the exploit is over."
"We are grateful to our tech lead, who discovered the attack early on. Unfortunately, our Twitter channel was not able to respond in time. Statements were made on Discord and Telegram."
"Several team members were up overnight to contain the exploit.
As we write this statement, the team is in a war room to develop the next steps, create a triage plan, and gather the data."
"Update: 17 traders were affected total, 4 on Mainnet, 13 on Arbitrum.
Out of 36 on Arbitrum, only 13 were exploited.
Out of 14 unique on Ethereum, 4 were exploited.
A few big whales were exploited accounted for ~85%"
"The Exploiter has transferred stolen funds ~930.6 $ETH (~1.53M) into Tornado Cash"
Dexible is a decentralized exchange (DEX) aggregator and execution management system (EMS) that optimizes full trade lifecycle support in DeFi. The platform offers pro traders and portfolio managers core atomic functionality out-of-the-box that vastly improves overall performance. With Dexible, traders can enter and exit large positions in DeFi without fearing market manipulation or MEV. However, Dexible suffered a hack on February 17th, 2022, losing a total of $2 million on Ethereum and Arbitrum. Although contracts were quickly paused, an official announcement came more than nine hours after the hack, and over five hours after Peckshield raised the alarm. Approximately $1.5 million was lost on Ethereum, and a further $450k was lost on Arbitrum, which was bridged to BSC before also being washed via Tornado Cash. 17 traders were affected in total, and the exploiter transferred stolen funds of ~930.6 $ETH ($1.53M) into Tornado Cash. Dexible has not undergone a formal audit, and one was not performed on the latest set of contracts.
Rekt - Dexible - REKT (May 3)
@DexibleApp Twitter (May 3)
@DexibleApp Twitter (May 3)
Introducing Dexible - Algo Trading Dex Aggregator for DeFi Portfolio Managers - YouTube (May 3)
Start Here - Dexible (May 3)
@peckshield Twitter (May 3)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(May 3)
