Dexible DEX Aggregator SelfSwap Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 19:48, 3 May 2023 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/dexibledexaggregatorselfswapexploit.php}} {{Unattributed Sources}} thumb|Dexible DEX AggregatorDexible is a decentralized exchange (DEX) aggregator and execution management system (EMS) that optimizes full trade lifecycle support in DeFi. The platform offers pro traders and portfolio managers core atomic functionality out-of-the-box that vastly improves overall performance....")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Dexible DEX Aggregator

Dexible is a decentralized exchange (DEX) aggregator and execution management system (EMS) that optimizes full trade lifecycle support in DeFi. The platform offers pro traders and portfolio managers core atomic functionality out-of-the-box that vastly improves overall performance. With Dexible, traders can enter and exit large positions in DeFi without fearing market manipulation or MEV. However, Dexible suffered a hack on February 17th, 2022, losing a total of $2 million on Ethereum and Arbitrum. Although contracts were quickly paused, an official announcement came more than nine hours after the hack, and over five hours after Peckshield raised the alarm. Approximately $1.5 million was lost on Ethereum, and a further $450k was lost on Arbitrum, which was bridged to BSC before also being washed via Tornado Cash. 17 traders were affected in total, and the exploiter transferred stolen funds of ~930.6 $ETH ($1.53M) into Tornado Cash. Dexible has not undergone a formal audit, and one was not performed on the latest set of contracts.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7]

About Dexible DEX

"Dexible is a trading engine for pro traders to maximize profitability. Fully noncustodial set-and-forget orders on 6 major EVM chains across 60+ dexes."

"Dexible is a decentralized exchange (dex) aggregator and execution management system (EMS) optimizing full trade life-cycle support in DeFi. The platform offers pro traders and portfolio managers core atomic functionality out-of-the-box that vastly improves overall performance." "Dexible is more than a DEX aggregator. It's an Algo Execution Suite for maximizing profitability designed for the pros."

"Minimizes Price-Impact: Splits large orders into market impact minimizing rounds. Full Trade Lifecycle Support: Detailed pre-trade and post-trade analysis. Post-Order Analytics: View and export detailed trade history reports for reporting and analysis. Smart Order Routing: Taps into 60+ liquidity sources for optimal price discovery."

"Think of Dexible as a highly flexible dex aggregator with an execution layer modeled to resemble OEMS in CeFi & Traditional Finance. The platform scans all the available sources of liquidity on a particular blockchain to optimize outcomes for swaps. Dexible also checks dexes for their current pricing and available liquidity, among other on and off-chain conditions. When market conditions match the trader's criteria, orders get submitted through Dexible's Settlement Smart Contract, then calling out to one or more dex contracts to execute the actual trades."

"With Dexible, traders can enter and exit large positions in DeFi without fearing market manipulation or MEV. With radical financial innovation and growth comes radical investment returns and opportunity, leading to more institutional capital flooding into the ecosystem."

"A formal audit was not performed on the latest set of contracts. We had several community members and Dexible engineers review the code, and they did not find the vulnerability. The core engineer that created the contracts has over 25 years of software engineering experience, and he did not see the vulnerability. Upon reviewing one of the hacker's transactions, however, he immediately understood how it was executed."

"One feature of Dexible’s recently introduced v2 contracts allows users to define their own routing via the selfSwap function. Dexible’s post-mortem report (published via Telegram and Discord, in PDF format) explains:

embedded in each request to swap was a "route" of what DEX to call and what data to send to that DEX to execute a swap

However, the function does not check whether the router address is actually a DEX by, for example, using an on-chain allowlist:

the router address was not verified on-chain in any way. This meant that instead of calling a DEX smart contract, the hacker simply called a token contract with a request to "transferFrom" any account that had spend approval on the Dexible contract"

"The decentralised exchange aggregator, Dexible lost a total of $2M on Friday, on Ethereum and Arbitrum.

Although contracts were quickly paused, an official announcement came more than 9 hours after the hack, and over five hours after Peckshield raised the alarm.

The thread states that their tech lead “discovered the attack early on” but that the “Twitter channel was not able to respond in time”, despite various promotional tweets being published in the intervening hours."

"Relatively few addresses were affected, with the majority of losses reportedly coming from an address belonging to BlockTower Capital which lost 18M TRU tokens, valued at ~$1.4M at the time.

In total, approximately $1.5M was lost on Ethereum, and sent to Tornado Cash. A further $450k was lost on Arbitrum, which was bridged to BSC before also being washed via Tornado Cash."

"Dear Dexible community, we regret to inform you that in the early hours of February 17th, a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract."

"We are taking this very seriously, and our team immediately paused all Dexible contracts on all chains upon detecting the issue. Our users were affected, but the exploit is over."

"We are grateful to our tech lead, who discovered the attack early on. Unfortunately, our Twitter channel was not able to respond in time. Statements were made on Discord and Telegram."

"Several team members were up overnight to contain the exploit.

As we write this statement, the team is in a war room to develop the next steps, create a triage plan, and gather the data."

"Update: 17 traders were affected total, 4 on Mainnet, 13 on Arbitrum.

Out of 36 on Arbitrum, only 13 were exploited.

Out of 14 unique on Ethereum, 4 were exploited.

A few big whales were exploited accounted for ~85%"

"The Exploiter has transferred stolen funds ~930.6 $ETH (~1.53M) into Tornado Cash"

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Dexible DEX Aggregator SelfSwap Exploit
Date Event Description
February 16th, 2023 9:20:35 PM MST Exploit Transaction One of the exploit transactions on the blockchain.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $1,530,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Dexible - REKT (May 3, 2023)
  2. @DexibleApp Twitter (May 3, 2023)
  3. @DexibleApp Twitter (May 3, 2023)
  4. Introducing Dexible - Algo Trading Dex Aggregator for DeFi Portfolio Managers - YouTube (May 3, 2023)
  5. Start Here - Dexible (May 3, 2023)
  6. @peckshield Twitter (May 3, 2023)
  7. Ethereum Transaction Hash (Txhash) Details | Etherscan (May 3, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Dexible_DEX_Aggregator_SelfSwap_Exploit&oldid=4216"