{"id":553304,"date":"2023-02-18T00:10:00","date_gmt":"2023-02-17T21:10:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/dexibleapp-aggregator-hacked-for-2m-via-selfswap-function\/"},"modified":"2023-02-18T00:10:00","modified_gmt":"2023-02-17T21:10:00","slug":"dexibleapp-aggregator-hacked-for-2m-via-selfswap-function","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/dexibleapp-aggregator-hacked-for-2m-via-selfswap-function\/","title":{"rendered":"# DexibleApp aggregator hacked for $2M via &#8216;selfSwap&#8217; function"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a289a055cc5f\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a289a055cc5f\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/dexibleapp-aggregator-hacked-for-2m-via-selfswap-function\/#%E2%80%9D_DexibleApp_aggregator_hacked_for_2M_via_%E2%80%98selfSwap_function_%E2%80%9C\" >&#8221; DexibleApp aggregator hacked for $2M via &#8216;selfSwap&#8217; function &#8220;<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_DexibleApp_aggregator_hacked_for_2M_via_%E2%80%98selfSwap_function_%E2%80%9C\"><\/span>&#8221; DexibleApp aggregator hacked for $2M via &#8216;selfSwap&#8217; function &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div class=\"post-content\" data-v-48054ca8>The multichain exchange aggregator Dexible<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">App<\/a> has been hit by an exploit, and $2 million worth of cryptocurrency has been lost as a result, according to a Feb. 17 post-mortem report released by the team on the project\u2019s official Discord server.<\/p>\n<p>As of 6:35 p.m. UTC on Feb. 17, the DexibleApp frontend shows a popup warning about the hack whenever users navigate to it.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2023-02\/974462c9-c0cb-4ea1-8d24-149d8cbfbd76.png\"><\/figure>\n<p>At 6:17 a.m. UTC, the team reported that they had discovered \u201ca potential hack on Dexible v2 contracts\u201d and were investigating the issue. Approximately nine hours later, they released a second statement that they \u201cnow know $2,047,635.17 was exploited from 17 trader addresses. 4 on mainnet, 13 on arbitrum.\u201d<\/p>\n<p>A post-mortem report was issued at 4 p.m. UTC as a pdf file and released on Discord, and the team said it was \u201cactively working on a re<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tion plan.\u201d<\/p>\n<p>In the report, the team stated that it had noticed something was wrong when one of its founders had $50,000 worth of crypto moved out of his wallet for reasons that were unknown at the time. After investigating, the team found that an attacker had used the app\u2019s selfSwap function to move over $2 million worth of crypto from users that had previously authorized the app to move their tokens.<\/p>\n<p>The selfSwap function allowed users to provide the address of a router and calldata associated with it to make a swap of one token for another. However, there was no list of pre-approved routers written into the code. So, the attacker used this function to route a transaction from Dexible to each token contract, moving users\u2019 tokens from their wallets into the attacker\u2019s own smart contract. Because these malicious transactions were coming from Dexible, which users had already authorized to spend their tokens, the token contracts did not block the transactions.<\/p>\n<p><em><strong>Related: <\/strong><strong>NFT influencer falls victim to cyberattack, loses $300K+ CryptoPunks<\/strong><\/em><\/p>\n<p>After receiving the tokens into their own smart contract, the attacker withdrew the coins through Tornado cash into unknown Binance Coin (BNB)\u00a0wallets.<\/p>\n<p>Dexible has paused its contracts and urged users to revoke token authorizations for them.<\/p>\n<p>The common practice of authorizing token approvals for large amounts has sometimes led to losses for crypto users due to buggy or outright malicious contracts, leading some experts to warn users to revoke approvals on a regular basis. The frontends for most Web3 apps do not directly allow users to edit the amount of tokens approved, so users often lose the full balance of their tokens if an app turns out to have a security flaw. Metamask and other wallets have tried to fix this problem by allowing users to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/metamask.zendesk.com\/hc\/en-us\/articles\/6055177143579-How-to-customize-token-approvals-with-a-custom-spend-limit\">edit<\/a> token approvals at the wallet confirmation step. But many crypto users are still unaware of the risk of not using this feature.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"defi_newsletter\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/dexibleapp-aggregator-hacked-for-2m-via-selfswap-function\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; DexibleApp aggregator hacked for $2M via &#8216;selfSwap&#8217; function &#8220; The multichain exchange aggregator DexibleApp has been hit by an exploit, and $2 million worth of cryptocurrency has been lost as a result, according to a Feb. 17 post-mortem report released by the team on the project\u2019s official Discord server. As of 6:35 p.m. UTC&#8230;<\/p>\n","protected":false},"author":1,"featured_media":553305,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/s3.cointelegraph.com\/uploads\/2023-02\/89f59f23-2a06-4455-a93d-5ba59122947f.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74860,74868,75916,74892],"class_list":["post-553304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-cryptocurrency-exchange","tag-defi","tag-dex","tag-tokens"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/553304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=553304"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/553304\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/553305"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=553304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=553304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=553304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}