Dexible DEX Aggregator SelfSwap Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 20:06, 3 May 2023 by Azoundria (talk | contribs) (Initial 30 minutes. All sources integrated.)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Dexible DEX Aggregator

Dexible is a decentralized exchange (DEX) aggregator and execution management system (EMS) that optimizes full trade lifecycle support in DeFi. The platform offers pro traders and portfolio managers core atomic functionality out-of-the-box that vastly improves overall performance. With Dexible, traders can enter and exit large positions in DeFi without fearing market manipulation or MEV. However, Dexible suffered a hack on February 17th, 2022, losing a total of $2 million on Ethereum and Arbitrum. Although contracts were quickly paused, an official announcement came more than nine hours after the hack, and over five hours after Peckshield raised the alarm. Approximately $1.5 million was lost on Ethereum, and a further $450k was lost on Arbitrum, which was bridged to BSC before also being washed via Tornado Cash. 17 traders were affected in total, and the exploiter transferred stolen funds of ~930.6 $ETH ($1.53M) into Tornado Cash. Dexible has not undergone a formal audit, and one was not performed on the latest set of contracts.

About Dexible DEX

Dexible is a decentralized exchange (dex) aggregator and execution management system (EMS) for professional traders and portfolio managers across six major EVM chains and 60+ dexes. The platform offers atomic functionality that improves overall performance, and minimizes price impact by splitting large orders into market-impact-minimizing rounds. Dexible offers full trade lifecycle support with detailed pre-trade and post-trade analysis, smart order routing, and post-order analytics. The platform scans all available sources of liquidity on a particular blockchain to optimize outcomes for swaps and checks dexes for their current pricing and available liquidity. Traders can enter and exit large positions in DeFi without fearing market manipulation or MEV[1][2].

"Dexible is a trading engine for pro traders to maximize profitability. Fully noncustodial set-and-forget orders on 6 major EVM chains across 60+ dexes."

"Dexible is a decentralized exchange (dex) aggregator and execution management system (EMS) optimizing full trade life-cycle support in DeFi. The platform offers pro traders and portfolio managers core atomic functionality out-of-the-box that vastly improves overall performance." "Dexible is more than a DEX aggregator. It's an Algo Execution Suite for maximizing profitability designed for the pros."

"Minimizes Price-Impact: Splits large orders into market impact minimizing rounds. Full Trade Lifecycle Support: Detailed pre-trade and post-trade analysis. Post-Order Analytics: View and export detailed trade history reports for reporting and analysis. Smart Order Routing: Taps into 60+ liquidity sources for optimal price discovery."

"Think of Dexible as a highly flexible dex aggregator with an execution layer modeled to resemble OEMS in CeFi & Traditional Finance. The platform scans all the available sources of liquidity on a particular blockchain to optimize outcomes for swaps. Dexible also checks dexes for their current pricing and available liquidity, among other on and off-chain conditions. When market conditions match the trader's criteria, orders get submitted through Dexible's Settlement Smart Contract, then calling out to one or more dex contracts to execute the actual trades."

"With Dexible, traders can enter and exit large positions in DeFi without fearing market manipulation or MEV. With radical financial innovation and growth comes radical investment returns and opportunity, leading to more institutional capital flooding into the ecosystem."

The Reality

Dexible did not perform a formal audit on its latest set of contracts, but several community members and engineers reviewed the code and did not find the vulnerability. The vulnerability was found in the selfSwap function, which allows users to define their own routing, but does not check if the router address is a DEX. The hacker exploited this vulnerability by calling a token contract with a request to "transferFrom" any account that had spend approval on the Dexible contract. The core engineer who created the contracts did not see the vulnerability initially, but after reviewing the hacker's transaction, he immediately understood how it was executed. Dexible has published a post-mortem report explaining the issue[3].

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Dexible DEX Aggregator SelfSwap Exploit
Date Event Description
February 16th, 2023 9:20:35 PM MST Exploit Transaction One of the exploit transactions on the blockchain[4].
February 16th, 2023 10:00:00 PM MST Smart Contract Paused According to a later Tweet by Dexible App, the smart contract was paused at 5 AM UTC[5].
February 17th, 2023 1:05:00 AM MST Peckshield Twitter Report Peckshield reports that Dexible "may need to ask users to revoke allowance" and provides one of the exploit transactions for analysis[6].
February 17th, 2023 1:08:00 AM MST PechShield Reports Contract Paused PeckShield reports on Twitter that the protocol should now be paused[7].
February 17th, 2023 6:35:00 AM MST Dexible App Announces The Hack Publicly Dexible makes public Tweet to announce the hack on Twitter[8].
February 17th, 2023 6:47:00 AM MST Dexible App Reports Contract Paused According to Dexible App, the smart contract was paused at 5:00 AM UTC[5].
February 17th, 2023 7:42:00 AM MST Dexible App Reports on Losses Dexible App posts a Tweet reporting on the total amount lost in the protocol[9].
February 21st, 2023 6:56:00 AM MST RektHQ Report on Situation RektHQ posts about the exploit[10]. Decentralized exchange aggregator, Dexible, lost $2m on Ethereum and Arbitrum after the contracts were exploited, but an official announcement was made over five hours after the alarm was raised. Dexible's tech lead discovered the attack early on, but the Twitter channel was unable to respond in time. When they did respond, Dexible's message came across as tone-deaf and indifferent. Dexible's recently introduced v2 contracts allows users to define their own routing via the selfSwap function, but it doesn't check whether the router address is a DEX by using an on-chain allowlist. The Dexible team released unaudited code based on the experience of their team[3].

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $1,530,000 USD.

Dexible reported the affected accounts on Twitter[9].

Update: 17 traders were affected total, 4 on Mainnet, 13 on Arbitrum.

Out of 36 on Arbitrum, only 13 were exploited.

Out of 14 unique on Ethereum, 4 were exploited.

A few big whales were exploited accounted for ~85%

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

"The decentralised exchange aggregator, Dexible lost a total of $2M on Friday, on Ethereum and Arbitrum.

Although contracts were quickly paused, an official announcement came more than 9 hours after the hack, and over five hours after Peckshield raised the alarm.

The thread states that their tech lead “discovered the attack early on” but that the “Twitter channel was not able to respond in time”, despite various promotional tweets being published in the intervening hours."

"Relatively few addresses were affected, with the majority of losses reportedly coming from an address belonging to BlockTower Capital which lost 18M TRU tokens, valued at ~$1.4M at the time.

In total, approximately $1.5M was lost on Ethereum, and sent to Tornado Cash. A further $450k was lost on Arbitrum, which was bridged to BSC before also being washed via Tornado Cash."

"Dear Dexible community, we regret to inform you that in the early hours of February 17th, a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract."

"We are taking this very seriously, and our team immediately paused all Dexible contracts on all chains upon detecting the issue. Our users were affected, but the exploit is over."

"We are grateful to our tech lead, who discovered the attack early on. Unfortunately, our Twitter channel was not able to respond in time. Statements were made on Discord and Telegram."

"Several team members were up overnight to contain the exploit.

As we write this statement, the team is in a war room to develop the next steps, create a triage plan, and gather the data."

"The Exploiter has transferred stolen funds ~930.6 $ETH (~1.53M) into Tornado Cash"

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Introducing Dexible - Algo Trading Dex Aggregator for DeFi Portfolio Managers - YouTube (May 3, 2023)
  2. Start Here - Dexible (May 3, 2023)
  3. 3.0 3.1 Rekt - Dexible - REKT (May 3, 2023)
  4. Ethereum Transaction Exploiting Dexible DEX - Etherscan (May 3, 2023)
  5. 5.0 5.1 DexibleApp - "Protocol was paused at 5:00 AM UTC this morning." - Twitter (May 3, 2023)
  6. peckshield - "Hi @DexibleApp, you may need to ask users to revoke allowance! (The loss is already >$1.5M). Here is one hack [transaction]" - Twitter (May 3, 2023)
  7. PeckShield - "The protocol should be now paused." - Twitter (May 3, 2023)
  8. DexibleApp - "Dear Dexible community, we regret to inform you that in the early hours of February 17th, a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract." - Twitter (May 3, 2023)
  9. 9.0 9.1 DexibleApp - "Update: 17 traders were affected total, 4 on Mainnet, 13 on Arbitrum." - Twitter (May 3, 2023)
  10. RektHQ - "@DexibleApp lost a total of $2M on Friday, on Ethereum and Arbitrum." - Twitter (May 3, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Dexible_DEX_Aggregator_SelfSwap_Exploit&oldid=4236"