en
Back to the list

Decentralized And Non-KYC Crypto Exchange Hacked For $26 Million

source-logo  forbes.com 20 February 2024 07:37, UTC
Silhouettes

A decentralized and non-KYC crypto exchange was hacked. FixedFloat, a known option to exchange bitcoin and several cryptocurrencies in a decentralized and pseudonymous way, lost over $26 million in an alleged hack, according to their team. Financial losses from this incident include 409 BTC BTC and 1,728 ETH.

The incident was initially reported through X by community members on February 17. But at that moment, the comments were about the forced maintenance the platform was experiencing and the long times some transactions were taking. Only after an hour, the FixedFloat team addressed the issue, arguing "some minor technical problems." The platform still under manintenance.

But when the X user behind the reprove handle on X, 0xJosh, posted about the hack, FixedFLoat agreed that this was, in fact, a hack. "FixedFloat just got exploited/the developer ran away with 1,700 ETH yesterday, and the team is calling it "some minor technical problem" — crazy," the user posted.

"I was mainly focusing on researching other chains, and I stumbled upon FixedFloat, and I saw that a lot of users who made transaction haven't got their money, so I got curious and I took a peak, and lord and behold, they got drained.", 0xJosh explained to me via X direct messages. He argues that it's unclear whether it's an attack or an internal job, but it's better to wait for the FixedFloat team to reveal this information.

"The recent hacking of our system was not carried out by our employees; it was an external attack caused by vulnerabilities in our security structure. The limited information we can share at the moment is that the problem was in our infrastructure, which was compromised due to flaws and insufficient protection", the FixedFloat team explained to me in an email.

These flaws allowed the attackers to access some of the service's functions. However, FixedFloat can't fully disclose the incident as the investigation is ongoing. "We promise to provide a full report upon completion," they underscored.

Despite the loss, the platform only has outstanding payment obligations for approximately 30 orders to our users, and the payments will be made "immediately after we have resumed the service and are satisfied that it is safe," the team told me.

FixedFloat explained that the hack affected only the service, but user funds were unaffected. "We also want to emphasize that FixedFloat does not perform the functions of a custodial service, that is, it does not store user funds," they further detailed.

According to officer_cia user on X, the drainer transferred most of the stolen ETH to eXch, a centralized mixer that uses thorswap on Ethereum ETH after the attack. The stolen BTC started to disperse and was even mixed through Whirlpool, the mixing services operated by Samourai Wallet and using the non-KYC exchange, TradeOgre.

"Before interacting with a smart contract, check if it has been audited by a reputable security firm. Audits can significantly reduce the risk of vulnerabilities but do not eliminate it entirely," 0xJosh recommended when interacting with Decentralized Exchanges like FixedFloat.

forbes.com