Dexible aggregator hacked for $2M via ‘selfSwap’ function

cointelegraph.com:

The multichain exchange aggregator Dexible has been hit by an exploit, and $2 million worth of cryptocurrency has been lost as a result, according to a Feb. 17 post-mortem report released by the team on the project’s official Discord server.

As of 6:35 pm UTC on Feb. 17, the Dexible front end shows a popup warning about the hack whenever users navigate to it.

At 6:17 am UTC, the team reported that it had discovered “a potential hack on Dexible v2 contracts” and was investigating the issue. Approximately nine hours later, it released a second statement that it now knew “$2,047,635.17 was exploited from 17 trader addresses. 4 on mainnet, 13 on arbitrum.”

A post-mortem report was issued at 4:00 pm UTC as a PDF file and released on Discord, and the team said it was “actively working on a remediation plan.”

In the report, the team states that it had noticed something was wrong when one of its founders had $50,000 worth of crypto moved out of his wallet for reasons that were unknown at the time. After investigating, the team found that an attacker had used the app’s selfSwap function to move over $2 million worth of crypto from users that had previously authorized the app to move their tokens.

The selfSwap function allowed users to provide the address of a router and calldata associated with it to make a swap of one token for another. However, there was no list of preapproved routers written into the code. So, the attacker used this function to route a transaction from Dexible to each token contract, moving users’ tokens from their wallets into the attacker’s own smart contract. Because these malicious transactions were coming from Dexible, which users had already authorized to spend their tokens, the token contracts did not block