Dexible DEX Aggregator SelfSwap Exploit: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Initial 30 minutes. All sources integrated.)
(30 more minutes completed.)
Line 22: Line 22:
!Event
!Event
!Description
!Description
|-
|February 16th, 2023 8:23:22 PM MST
|FixedFloat Exchange Completed
|The exploiter completes an exchange with the FixedFloat decentralized swap service, and receives 0.423796 BNB into their wallet<ref>[https://bscscan.com/tx/0xc226dc7f0eeb298827cd60b0f8fc352e7161186cd872ff4df64c54a7ed062346 Attacker Receives 0.423796 BNB From FixedFloat - BscScan] (May 5, 2023)</ref>.
|-
|February 16th, 2023 8:39:47 PM MST
|Unwrapping Wrapped Ethereum
|The exploiter unwraps their wrapped Ethereum tokens (stored on the BNB blockchain)<ref>https://etherscan.io/tx/0xe44dcea98ad8019bae5b6b83e266ff873c3aa7cdca9a60a3239a7b19a9237636 (May 5, 2023)</ref>.
|-
|February 16th, 2023 9:16:35 PM MST
|First Exploit of Wrapped Ethereum
|The very first exploit transaction for 11.34634284419918137 Wrapped Ethereum<ref name=":1">[https://etherscan.io/tx/0xb3cfbd40752c149761d105890f40d860a4366a819add6f5414db9bc474cc6481 Exploit Transaction For 11.34634284419918137 Wrapped Ethereum - Etherscan]  (May 5, 2023)</ref>.
|-
|-
|February 16th, 2023 9:20:35 PM MST
|February 16th, 2023 9:20:35 PM MST
|Exploit Transaction
|Exploit Transaction
|One of the exploit transactions on the blockchain<ref name="etherscan-10859" />.
|The second exploit transactions for 17,960,937.5 TrueFI tokens<ref name="etherscan-10859" />. This transaction is the most widely referenced attack transaction example<ref name="peckshieldtwitter-10858" /><ref name=":2" />.
|-
|-
|February 16th, 2023 10:00:00 PM MST
|February 16th, 2023 10:00:00 PM MST
|Smart Contract Paused
|Smart Contract Paused
|According to a later Tweet by Dexible App, the smart contract was paused at 5 AM UTC<ref name=":0">[https://twitter.com/DexibleApp/status/1626579165393698816 DexibleApp - "Protocol was paused  at 5:00 AM UTC this morning." - Twitter] (May 3, 2023)</ref>.
|According to a later Tweet by Dexible App, the smart contract was paused at 5 AM UTC<ref name=":0">[https://twitter.com/DexibleApp/status/1626579165393698816 DexibleApp - "Protocol was paused  at 5:00 AM UTC this morning." - Twitter] (May 3, 2023)</ref>.
|-
|February 17th, 2023 12:51:35 AM MST
|Attacker Starts Cashing Out ETH To TornadoCash
|The attacker starts to move the ETH funds from their wallet and deposit them into TornadoCash<ref>[https://etherscan.io/tx/0x47778bc69b0faea9c752f6d7a417402c52f49ba2ce53df2a9aa7b5e6302e75ba Exploiter Depositing First 100 ETH Into TornadoCash - EtherScan] (May 5, 2023)</ref>.
|-
|February 17th, 2023 12:53:34 AM MST
|Attacker Starts Cashing Out BNB To TornadoCash
|The attacker starts to move the BNB funds from their wallet into TornadoCash<ref>[https://bscscan.com/tx/0x6787d20ab064d5c1857683aad16d5d2a741603b876de146d2a62b82c93f4ff17 Attacker Transfers First 100 BNB Into TornadoCash - BscScan] (May 5, 2023)</ref>.
|-
|February 17th, 2023 1:03:23 AM MST
|Attacker Done ETH TornadoCash Cash Out Process
|The last ETH transaction from the attacker into TornadoCash is completed<ref>[https://etherscan.io/tx/0x59b56c76bc1ffb7e49d4df006d150966b40c097bc57ff06f4fd35c71ef2d8459 Last Transaction For 0.1 ETH into TornadoCash - EtherScan] (May 5, 2023)</ref>.
|-
|-
|February 17th, 2023 1:05:00 AM MST
|February 17th, 2023 1:05:00 AM MST
Line 38: Line 62:
|PechShield Reports Contract Paused
|PechShield Reports Contract Paused
|PeckShield reports on Twitter that the protocol should now be paused<ref>[https://twitter.com/peckshield/status/1626493808975433730 PeckShield - "The protocol should be now paused." - Twitter] (May 3, 2023)</ref>.
|PeckShield reports on Twitter that the protocol should now be paused<ref>[https://twitter.com/peckshield/status/1626493808975433730 PeckShield - "The protocol should be now paused." - Twitter] (May 3, 2023)</ref>.
|-
|February 17th, 2023 1:10:00 AM MST
|PeckShield Reports TornadoCash  ETH Movement
|PeckShield reports on the TornadoCash movement of Ethereum (which happened before their first Tweet)<ref name=":3">[https://twitter.com/PeckShieldAlert/status/1626494218058485760 PeckShield Alert - "The Exploiter has transferred stolen funds ~930.6 $ETH (~1.53M) into Tornado Cash" - Twitter] (May 5, 2023)</ref>.
|-
|February 17th, 2023 1:39:39 AM MST
|Attacker Done BNB TornadoCash Cash Out Process
|The final BNB transaction from the exploiter into TornadoCash is completed<ref>[https://bscscan.com/tx/0xe08583920e12f12fc4aa6356ca32f79de328accb6ab8c94055ec979604f6402d Attacker Transfers Final 0.1 BNB Into TornadoCash - BscScan] (May 5, 2023)</ref>.
|-
|February 17th, 2023 2:08:00 AM MST
|PeckShield Reports TornadoCash BNB Movement
|PeckShield reports on the TornadoCash movement of BNB (which happened before their first Tweet)<ref name=":3" />.
|-
|-
|February 17th, 2023 6:35:00 AM MST
|February 17th, 2023 6:35:00 AM MST
Line 53: Line 89:
|February 21st, 2023 6:56:00 AM MST
|February 21st, 2023 6:56:00 AM MST
|RektHQ Report on Situation
|RektHQ Report on Situation
|RektHQ posts about the exploit<ref>[https://twitter.com/RektHQ/status/1628030868043300865 RektHQ - "@DexibleApp lost a total of $2M on Friday, on Ethereum and Arbitrum." - Twitter] (May 3, 2023)</ref>. Decentralized exchange aggregator, Dexible, lost $2m on Ethereum and Arbitrum after the contracts were exploited, but an official announcement was made over five hours after the alarm was raised. Dexible's tech lead discovered the attack early on, but the Twitter channel was unable to respond in time. When they did respond, Dexible's message came across as tone-deaf and indifferent. Dexible's recently introduced v2 contracts allows users to define their own routing via the selfSwap function, but it doesn't check whether the router address is a DEX by using an on-chain allowlist. The Dexible team released unaudited code based on the experience of their team<ref name="rektnews-10853" />.
|RektHQ posts about the exploit<ref name=":2">[https://twitter.com/RektHQ/status/1628030868043300865 RektHQ - "@DexibleApp lost a total of $2M on Friday, on Ethereum and Arbitrum." - Twitter] (May 3, 2023)</ref>. Decentralized exchange aggregator, Dexible, lost $2m on Ethereum and Arbitrum after the contracts were exploited, but an official announcement was made over five hours after the alarm was raised. Dexible's tech lead discovered the attack early on, but the Twitter channel was unable to respond in time. When they did respond, Dexible's message came across as tone-deaf and indifferent. Dexible's recently introduced v2 contracts allows users to define their own routing via the selfSwap function, but it doesn't check whether the router address is a DEX by using an on-chain allowlist. The Dexible team released unaudited code based on the experience of their team<ref name="rektnews-10853" />.
|}
|}


Line 60: Line 96:


== Total Amount Lost ==
== Total Amount Lost ==
Attack transactions and amounts lost:
{| class="wikitable"
|+
!TX#
!
!
!
|-
|1<ref name=":1" />
|
|
|
|-
|2<ref name="etherscan-10859" />
|
|
|
|-
|3
|
|
|
|}
The total amount lost has been estimated at $1,530,000 USD.
The total amount lost has been estimated at $1,530,000 USD.


Line 71: Line 132:


== Immediate Reactions ==
== Immediate Reactions ==
=== Tweet By PeckShield ===
Blockchain analytics company PeckShield was one of the first to notice and report on the issue<ref name="peckshieldtwitter-10858" />. They reported on one of the exploit transactions<ref name="etherscan-10859" />.<blockquote>Hi @DexibleApp, you may need to ask users to revoke allowance! (The loss is already >$1.5M). Here is one hack [transaction]</blockquote>
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


Line 128: Line 194:
<ref name="dexible-10857">[https://dexible.gitbook.io/dexible/ Start Here - Dexible] (May 3, 2023)</ref>
<ref name="dexible-10857">[https://dexible.gitbook.io/dexible/ Start Here - Dexible] (May 3, 2023)</ref>
<ref name="peckshieldtwitter-10858">[https://twitter.com/peckshield/status/1626493024879673344 <nowiki>peckshield - "Hi @DexibleApp, you may need to ask users to revoke allowance! (The loss is already >$1.5M). Here is one hack [transaction]" - Twitter</nowiki>] (May 3, 2023)</ref>
<ref name="peckshieldtwitter-10858">[https://twitter.com/peckshield/status/1626493024879673344 <nowiki>peckshield - "Hi @DexibleApp, you may need to ask users to revoke allowance! (The loss is already >$1.5M). Here is one hack [transaction]" - Twitter</nowiki>] (May 3, 2023)</ref>
<ref name="etherscan-10859">[https://etherscan.io/tx/0x138daa4cbeaa3db42eefcec26e234fc2c89a4aa17d6b1870fc460b2856fd11a6 Ethereum Transaction Exploiting Dexible DEX - Etherscan] (May 3, 2023)</ref>
<ref name="etherscan-10859">[https://etherscan.io/tx/0x138daa4cbeaa3db42eefcec26e234fc2c89a4aa17d6b1870fc460b2856fd11a6 Transaction Exploiting Dexible DEX For 17,960,937.5 TrueFi - Etherscan] (May 3, 2023)</ref>
</references>
</references>

Revision as of 16:27, 5 May 2023

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Dexible DEX Aggregator

Dexible is a decentralized exchange (DEX) aggregator and execution management system (EMS) that optimizes full trade lifecycle support in DeFi. The platform offers pro traders and portfolio managers core atomic functionality out-of-the-box that vastly improves overall performance. With Dexible, traders can enter and exit large positions in DeFi without fearing market manipulation or MEV. However, Dexible suffered a hack on February 17th, 2022, losing a total of $2 million on Ethereum and Arbitrum. Although contracts were quickly paused, an official announcement came more than nine hours after the hack, and over five hours after Peckshield raised the alarm. Approximately $1.5 million was lost on Ethereum, and a further $450k was lost on Arbitrum, which was bridged to BSC before also being washed via Tornado Cash. 17 traders were affected in total, and the exploiter transferred stolen funds of ~930.6 $ETH ($1.53M) into Tornado Cash. Dexible has not undergone a formal audit, and one was not performed on the latest set of contracts.

About Dexible DEX

Dexible is a decentralized exchange (dex) aggregator and execution management system (EMS) for professional traders and portfolio managers across six major EVM chains and 60+ dexes. The platform offers atomic functionality that improves overall performance, and minimizes price impact by splitting large orders into market-impact-minimizing rounds. Dexible offers full trade lifecycle support with detailed pre-trade and post-trade analysis, smart order routing, and post-order analytics. The platform scans all available sources of liquidity on a particular blockchain to optimize outcomes for swaps and checks dexes for their current pricing and available liquidity. Traders can enter and exit large positions in DeFi without fearing market manipulation or MEV[1][2].

"Dexible is a trading engine for pro traders to maximize profitability. Fully noncustodial set-and-forget orders on 6 major EVM chains across 60+ dexes."

"Dexible is a decentralized exchange (dex) aggregator and execution management system (EMS) optimizing full trade life-cycle support in DeFi. The platform offers pro traders and portfolio managers core atomic functionality out-of-the-box that vastly improves overall performance." "Dexible is more than a DEX aggregator. It's an Algo Execution Suite for maximizing profitability designed for the pros."

"Minimizes Price-Impact: Splits large orders into market impact minimizing rounds. Full Trade Lifecycle Support: Detailed pre-trade and post-trade analysis. Post-Order Analytics: View and export detailed trade history reports for reporting and analysis. Smart Order Routing: Taps into 60+ liquidity sources for optimal price discovery."

"Think of Dexible as a highly flexible dex aggregator with an execution layer modeled to resemble OEMS in CeFi & Traditional Finance. The platform scans all the available sources of liquidity on a particular blockchain to optimize outcomes for swaps. Dexible also checks dexes for their current pricing and available liquidity, among other on and off-chain conditions. When market conditions match the trader's criteria, orders get submitted through Dexible's Settlement Smart Contract, then calling out to one or more dex contracts to execute the actual trades."

"With Dexible, traders can enter and exit large positions in DeFi without fearing market manipulation or MEV. With radical financial innovation and growth comes radical investment returns and opportunity, leading to more institutional capital flooding into the ecosystem."

The Reality

Dexible did not perform a formal audit on its latest set of contracts, but several community members and engineers reviewed the code and did not find the vulnerability. The vulnerability was found in the selfSwap function, which allows users to define their own routing, but does not check if the router address is a DEX. The hacker exploited this vulnerability by calling a token contract with a request to "transferFrom" any account that had spend approval on the Dexible contract. The core engineer who created the contracts did not see the vulnerability initially, but after reviewing the hacker's transaction, he immediately understood how it was executed. Dexible has published a post-mortem report explaining the issue[3].

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Dexible DEX Aggregator SelfSwap Exploit
Date Event Description
February 16th, 2023 8:23:22 PM MST FixedFloat Exchange Completed The exploiter completes an exchange with the FixedFloat decentralized swap service, and receives 0.423796 BNB into their wallet[4].
February 16th, 2023 8:39:47 PM MST Unwrapping Wrapped Ethereum The exploiter unwraps their wrapped Ethereum tokens (stored on the BNB blockchain)[5].
February 16th, 2023 9:16:35 PM MST First Exploit of Wrapped Ethereum The very first exploit transaction for 11.34634284419918137 Wrapped Ethereum[6].
February 16th, 2023 9:20:35 PM MST Exploit Transaction The second exploit transactions for 17,960,937.5 TrueFI tokens[7]. This transaction is the most widely referenced attack transaction example[8][9].
February 16th, 2023 10:00:00 PM MST Smart Contract Paused According to a later Tweet by Dexible App, the smart contract was paused at 5 AM UTC[10].
February 17th, 2023 12:51:35 AM MST Attacker Starts Cashing Out ETH To TornadoCash The attacker starts to move the ETH funds from their wallet and deposit them into TornadoCash[11].
February 17th, 2023 12:53:34 AM MST Attacker Starts Cashing Out BNB To TornadoCash The attacker starts to move the BNB funds from their wallet into TornadoCash[12].
February 17th, 2023 1:03:23 AM MST Attacker Done ETH TornadoCash Cash Out Process The last ETH transaction from the attacker into TornadoCash is completed[13].
February 17th, 2023 1:05:00 AM MST Peckshield Twitter Report Peckshield reports that Dexible "may need to ask users to revoke allowance" and provides one of the exploit transactions for analysis[8].
February 17th, 2023 1:08:00 AM MST PechShield Reports Contract Paused PeckShield reports on Twitter that the protocol should now be paused[14].
February 17th, 2023 1:10:00 AM MST PeckShield Reports TornadoCash ETH Movement PeckShield reports on the TornadoCash movement of Ethereum (which happened before their first Tweet)[15].
February 17th, 2023 1:39:39 AM MST Attacker Done BNB TornadoCash Cash Out Process The final BNB transaction from the exploiter into TornadoCash is completed[16].
February 17th, 2023 2:08:00 AM MST PeckShield Reports TornadoCash BNB Movement PeckShield reports on the TornadoCash movement of BNB (which happened before their first Tweet)[15].
February 17th, 2023 6:35:00 AM MST Dexible App Announces The Hack Publicly Dexible makes public Tweet to announce the hack on Twitter[17].
February 17th, 2023 6:47:00 AM MST Dexible App Reports Contract Paused According to Dexible App, the smart contract was paused at 5:00 AM UTC[10].
February 17th, 2023 7:42:00 AM MST Dexible App Reports on Losses Dexible App posts a Tweet reporting on the total amount lost in the protocol[18].
February 21st, 2023 6:56:00 AM MST RektHQ Report on Situation RektHQ posts about the exploit[9]. Decentralized exchange aggregator, Dexible, lost $2m on Ethereum and Arbitrum after the contracts were exploited, but an official announcement was made over five hours after the alarm was raised. Dexible's tech lead discovered the attack early on, but the Twitter channel was unable to respond in time. When they did respond, Dexible's message came across as tone-deaf and indifferent. Dexible's recently introduced v2 contracts allows users to define their own routing via the selfSwap function, but it doesn't check whether the router address is a DEX by using an on-chain allowlist. The Dexible team released unaudited code based on the experience of their team[3].

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

Attack transactions and amounts lost:

TX#
1[6]
2[7]
3


The total amount lost has been estimated at $1,530,000 USD.

Dexible reported the affected accounts on Twitter[18].

Update: 17 traders were affected total, 4 on Mainnet, 13 on Arbitrum.

Out of 36 on Arbitrum, only 13 were exploited.

Out of 14 unique on Ethereum, 4 were exploited.

A few big whales were exploited accounted for ~85%

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

Tweet By PeckShield

Blockchain analytics company PeckShield was one of the first to notice and report on the issue[8]. They reported on one of the exploit transactions[7].

Hi @DexibleApp, you may need to ask users to revoke allowance! (The loss is already >$1.5M). Here is one hack [transaction]


How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

"The decentralised exchange aggregator, Dexible lost a total of $2M on Friday, on Ethereum and Arbitrum.

Although contracts were quickly paused, an official announcement came more than 9 hours after the hack, and over five hours after Peckshield raised the alarm.

The thread states that their tech lead “discovered the attack early on” but that the “Twitter channel was not able to respond in time”, despite various promotional tweets being published in the intervening hours."

"Relatively few addresses were affected, with the majority of losses reportedly coming from an address belonging to BlockTower Capital which lost 18M TRU tokens, valued at ~$1.4M at the time.

In total, approximately $1.5M was lost on Ethereum, and sent to Tornado Cash. A further $450k was lost on Arbitrum, which was bridged to BSC before also being washed via Tornado Cash."

"Dear Dexible community, we regret to inform you that in the early hours of February 17th, a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract."

"We are taking this very seriously, and our team immediately paused all Dexible contracts on all chains upon detecting the issue. Our users were affected, but the exploit is over."

"We are grateful to our tech lead, who discovered the attack early on. Unfortunately, our Twitter channel was not able to respond in time. Statements were made on Discord and Telegram."

"Several team members were up overnight to contain the exploit.

As we write this statement, the team is in a war room to develop the next steps, create a triage plan, and gather the data."

"The Exploiter has transferred stolen funds ~930.6 $ETH (~1.53M) into Tornado Cash"

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Introducing Dexible - Algo Trading Dex Aggregator for DeFi Portfolio Managers - YouTube (May 3, 2023)
  2. Start Here - Dexible (May 3, 2023)
  3. 3.0 3.1 Rekt - Dexible - REKT (May 3, 2023)
  4. Attacker Receives 0.423796 BNB From FixedFloat - BscScan (May 5, 2023)
  5. https://etherscan.io/tx/0xe44dcea98ad8019bae5b6b83e266ff873c3aa7cdca9a60a3239a7b19a9237636 (May 5, 2023)
  6. 6.0 6.1 Exploit Transaction For 11.34634284419918137 Wrapped Ethereum - Etherscan (May 5, 2023)
  7. 7.0 7.1 7.2 Transaction Exploiting Dexible DEX For 17,960,937.5 TrueFi - Etherscan (May 3, 2023)
  8. 8.0 8.1 8.2 peckshield - "Hi @DexibleApp, you may need to ask users to revoke allowance! (The loss is already >$1.5M). Here is one hack [transaction]" - Twitter (May 3, 2023)
  9. 9.0 9.1 RektHQ - "@DexibleApp lost a total of $2M on Friday, on Ethereum and Arbitrum." - Twitter (May 3, 2023)
  10. 10.0 10.1 DexibleApp - "Protocol was paused at 5:00 AM UTC this morning." - Twitter (May 3, 2023)
  11. Exploiter Depositing First 100 ETH Into TornadoCash - EtherScan (May 5, 2023)
  12. Attacker Transfers First 100 BNB Into TornadoCash - BscScan (May 5, 2023)
  13. Last Transaction For 0.1 ETH into TornadoCash - EtherScan (May 5, 2023)
  14. PeckShield - "The protocol should be now paused." - Twitter (May 3, 2023)
  15. 15.0 15.1 PeckShield Alert - "The Exploiter has transferred stolen funds ~930.6 $ETH (~1.53M) into Tornado Cash" - Twitter (May 5, 2023)
  16. Attacker Transfers Final 0.1 BNB Into TornadoCash - BscScan (May 5, 2023)
  17. DexibleApp - "Dear Dexible community, we regret to inform you that in the early hours of February 17th, a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract." - Twitter (May 3, 2023)
  18. 18.0 18.1 DexibleApp - "Update: 17 traders were affected total, 4 on Mainnet, 13 on Arbitrum." - Twitter (May 3, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Dexible_DEX_Aggregator_SelfSwap_Exploit&oldid=4296"