Crisis-comms calamity as cross-chain chaos continues…
The decentralised exchange aggregator, Dexible lost a total of $2M on Friday, on Ethereum and Arbitrum.
The thread states that their tech lead “discovered the attack early on” but that the “Twitter channel was not able to respond in time”, despite various promotional tweets being published in the intervening hours.
When they did finally respond, however, part of their message came across as, at best, tone-deaf and, at worst, indifferent.
There's no excuse for an exploit, but these things happen
exploits happen in DeFi.
One feature of Dexible’s recently introduced v2 contracts allows users to define their own routing via the selfSwap function. Dexible’s post-mortem report (published via Telegram and Discord, in PDF format) explains:
embedded in each request to swap was a "route" of what DEX to call and what data to send to that DEX to execute a swap
However, the function does not check whether the router address is actually a DEX by, for example, using an on-chain allowlist:
the router address was not verified on-chain in any way. This meant that instead of calling a DEX smart contract, the hacker simply called a token contract with a request to "transferFrom" any account that had spend approval on the Dexible contract
Example tx: 0x138daa4c…
In total, approximately $1.5M was lost on Ethereum, and sent to Tornado Cash. A further $450k was lost on Arbitrum, which was bridged to BSC before also being washed via Tornado Cash.
In the post-mortem report, the Dexible team attempted to justify releasing unaudited code based on the experience of their team:
A formal audit was not performed on the latest set of contracts. We had several community members and Dexible engineers review the code, and they did not find the vulnerability. The core engineer that created the contracts has over 25 years of software engineering experience, and he did not see the vulnerability. Upon reviewing one of the hacker's transactions, however, he immediately understood how it was executed.
An audit is not a silver bullet… but it certainly helps.
Even the most experienced engineers may overlook a security vulnerability in their own code. Naturally, when building a new protocol, devs primarily have users in mind.
But in this industry, security is paramount.
And no shortage of unaudited protocols have made it onto the leaderboard.
In Dexible’s own words:
exploits happen in DeFi.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
What a way to start the week. This morning, Mixin Network announced a loss of $200M. The project claims to be “decentralised”, but has blamed the losses on a hacked third-party database. Where's the accountability?
Another exchange drained, is Lazarus going for a September hat-trick? Remitano's hot wallets were hit for $2.7M, yesterday. But quickly frozen USDT ensured profits were vastly reduced. Are we… learning?
rekt across thirteen chains. Is that a new record? CoinEx has become the latest crypto custodian to have its hot wallets emptied, losing an eventual total of $54.3M. How long until the next CEX is hit?