The decentralized application FixedFloat suffers a $26 million hack

A few days ago, the decentralized non-KYC application FixedFloat suffered a hack attack on its infrastructure, resulting in losses of 26 million dollars.

According to the auditing and blockchain analysis company PeckShield, a total of 1728 ETH and 409 BTC were stolen: some of the money was then laundered by passing through decentralized mixers and coinjoin transactions.

FixedFloat has stated that user funds are safe and that the hack did not compromise the financial stability of the crypto exchange application.

All the details below.

Vulnerability in FixedFloat’s structure: the decentralized application suffers a $26 million hack in BTC and ETH

On Saturday, February 17th, the decentralized cryptocurrency exchange application FixedFloat was the victim of a hack that caused losses of 26 million dollars in BTC and ETH.

It all started when several users reported experiencing frozen transactions and missing funds in their accounts; shortly after, it was discovered through on-chain analysis that several million dollars had been drained to various unrecognized external wallets.

Although it is not yet clear how the attack occurred, the FixedFloat team promptly explained that it was a “small technical issue” at the time of the incident.

The same has announced that the funds will be refunded to the platform users and that the hack did not compromise the financial stability of the company.

Anyway, at the time of writing the article the decentralized application remains inactive and in maintenance mode, but it will be reopened in an unspecified future, as soon as it is certain to be safe to use.

Here is what was reported on X by Fixed FixedFloat following the hack:

The decentralized exchange is known for its non-KYC services, which do not require registration under the classic “Know Your Customer” procedure, allowing a competitive advantage in terms of privacy.

By offering the possibility of remaining anonymous and allowing transactions in Bitcoin through Lightning Network to its customers, FixedFloat has attracted a wide range of users from the United States.

Partly, the characteristic of anonymity and the lack of internal controls favored the malicious hacker attack, who did not have to provide their personal data to access the application.

According to the cybersecurity and blockchain analysis company PeckShield, the theft amounts to precisely 1728 ETH, worth 4.85 million dollars, and 409 BTC, worth almost 21 million dollars.

Most of the ether from the hack has already been transferred to a wide range of decentralized exchanges on the Ethereum blockchain.

FixedFloat has reported that they are working with law enforcement, blockchain forensic companies, and cryptocurrency exchanges to track down the hackers, who have not yet contacted the exchange. 

The company has stated that it will honor all its payment obligations as soon as it resumes operations and is certain that the exchange will be safe to use again.

Part of the stolen BTC from the hack were recycled through a coinjoin operation

While the ETH stolen from the hack of the decentralized application FixedFloat have been easily moved to dozens of different addresses and circulated through the Ethereum blockchain, the BTC that are part of the same loot are about to be recycled with coinjoin transactions.

We remind you that coinjoin is a type of Bitcoin operation, theorized for the first time by Gregory Maxwell in 2013, in which several BTC payments are combined into a single transaction, making it difficult to determine which addresses have spent which amount.

Similar to what happens with decentralized mixers like Tornado Cash, coinjoin transactions are combined together to make a single transaction in a joint pool, from which depositors can then request back their “pooled” and anonymous funds.

In our case, the hacker exploited a kind of mixer that uses a method to increase privacy similar to coinjoin, where several BTC have already been exchanged.

In particular, we can affirm that according to what was explained by a researcher web3 on X, part of the stolen funds, to be precise 2.7544 BTC, have flowed into the address

34F2Jjmzo4N3kz3zVVBbqr3nn6NkvQvNjA, which belongs to the CEX TradeOgre.

This money could represent the commission paid by the malicious actor to use the mixer, which seems to be linked to the Whirpool application that implements an advanced privacy system.

It is believed that 166 out of the 409 BTC stolen from the decentralized application FixedFloat have already passed through the Whirpool mixer.

Incidents like this are commonplace in cryptographic environments, especially in non-KYC ones that somehow protect the anonymity of hackers.

According to the on-chain forensic research company Chainalysis, despite the numerous incidents recorded in 2023 hacks and exploits are decreasing compared to the previous year, when there was a boom in thefts.

Overall, the value of hacked funds has decreased by about 54.3% compared to 2022 with a total stolen amount of approximately 1.7 billion dollars, mainly derived from DeFi applications hacks.

applicazione decentralizzata hack

Source: https://en.cryptonomist.ch/2024/02/20/the-decentralized-application-fixedfloat-falls-victim-to-a-26-million-hack/