A few days ago, the non-KYC decentralized application FixedFloat suffered a hack attack on its infrastructure, resulting in losses of $26 million.
In total, according to the blockchain auditing and analysis company PeckShield, 1728 ETH and 409 BTC were stolen: part of the money was then cleaned through decentralized mixers and coinjoin transactions.
FixedFloat said that user funds are safe and that the hack did not compromise the financial stability of the crypto trading application.
All the details below.
FixedFloat Structure Vulnerability: Decentralized App Hacks $26 Million in BTC and ETH
The decentralized crypto exchange application FixedFloat was the victim of a hack on Saturday, February 17th causing losses of $26 million in BTC and ETH.
It all started when several users reported experiencing frozen transactions and missing funds on their accounts; soon after it was discovered by on-chain analysis that several million dollars had been drained into various unrecognized external wallets.
Although it is still unclear how the attack occurred, the FixedFloat team promptly explained at the time of the incident that it was a “small technical problem.”
He announced that the funds will be refunded to the platform’s users and that the hack did not compromise the company’s financial stability.
Anyway, at the time of writing this article the decentralized application remains inoperative and in maintenance modebut will be reopened in an unspecified future, as soon as we are certain that it is safe to use.
Here is what Fixed FixedFloat reported about X following the hack:
The decentralized exchange is known for its non-KYC services, which do not require registration under the classic procedure “Know Your Costumer”allowing a competitive advantage on the privacy side.
By offering the ability to be anonymous and enabling Bitcoin transactions via the Lightning Network to its customers, FixedFloat has attracted a wide range of users from the United States.
In part, the anonymity feature and lack of internal control favored the hack attack by the attacker, who did not have to provide his personal data to access the application.
According to what was reported by the cybersecurity and blockchain analysis company PeckShield the theft amounts precisely to 1728 ETH, worth 4.85 million dollars, and 409 BTC, worth almost 21 million dollars.
Much of the ether from the hack has already been transferred to a wide range of decentralized exchanges on the Ethereum blockchain.
FixedFloat reported that they are working with law enforcement, blockchain forensics firms and cryptocurrency exchanges to track down the hackers, who have not yet contacted the exchange.
The company said it will honor all its payment obligations as soon as it resumes operations and is assured that the exchange will be safe to use again.
Part of the BTC stolen in the hack was laundered via the coinjoin operation
While the ETH stolen from the hack of the decentralized application FixedFloat was easily moved to dozens of different addresses and passed around the Ethereum blockchain, the BTC that are part of the same loot are about to be recycled with coinjoin transactions.
Let us remember that coinjoin is a type of Bitcoin operation, theorized for the first time by Gregory Maxwell in 2013, with which combined several BTC payments into a single transactionmaking it difficult to determine which addresses spent which amount.
In a very similar way to what happens with decentralized mixers like Tornado Cash, coinjoin transactions are joined together to make a single transaction in a joint pool, from which depositors can then request their money back. “clean” and anonymous funds.
In our case the hacker exploited a sort of mixer that uses a method to increase privacy similar to coinjoin, where several BTC have already been exchanged.
In particular we can state that according to what was explained by a web3 researcher on
34F2Jjmzo4N3kz3zVVBbqr3nn6NkvQvNjA, which belongs to CEX TradeOgre.
This money could represent the commission paid by the attacker to use the mixer, which sIt would seem to be traced back to the Whirpool application which implements an advanced privacy system.
It is believed that 166 BTC of the 409 stolen from the decentralized application FixedFloat have already passed through the Whirpool mixer.
Incidents like this are commonplace in crypto environments, especially non-KYC ones that protect hackers’ anonymity in some way.
According to what was highlighted by the on-chain forensic research company Chainalysis, despite the numerous incidents recorded in 2023 hacks and exploits are down compared to the previous yearwhere there had been a boom in thefts.
In total, the value of hacked funds fell by approximately 54.3% compared to 2022 with a total stolen sum of approximately $1.7 billion, which mainly comes from cases of hacks on DeFi applications.
Source: https://cryptonomist.ch/2024/02/20/applicazione-decentralizzata-fixedfloat-hack/