FixedFloat DEX Hacked for $26M in BTC and ETH, Loot Already Moved

On Feb. 18, the FixedFloat team confirmed that the platform was hacked after blockchain sleuths reported the spurious crypto movements.

“We confirm that there was indeed a hack and theft of funds,” it stated in response to a post on X revealing the exploiter’s address.

However, no further details were provided, with the team stating, “We are not yet ready to make public comments on this matter, as we are working to eliminate all possible vulnerabilities, improve security, and investigate.”

There were no new posts or details on the FixedFloat X account as of early Monday morning on Feb. 19. Moreover, the FixedFloat website was also offline with the message “Technical work is underway, we will be back soon!” at the time of writing.

Looks like @FixedFloat just got exploited for 1700 ETH!

Drainer address: 0x85c4fF99bF0eCb24e02921b0D4b5d336523Fa085

Info by: @reprove pic.twitter.com/XHnHy3CFSs

— Officer’s Notes (@officer_cia) February 18, 2024

Another DEX Exploit

On Feb. 19, blockchain security firm PeckShield reported that around 1,728 ETH worth roughly $4.85 million and 409 BTC worth around $21 million were stolen in the attack.

The hacker has already transferred most of the stolen Ethereum to the eXch exchange, it added.

#PeckShieldAlert #FixedFloat was hacked, resulting in ~1,728 $ETH (worth ~$4.85m) and 409 $BTC (worth ~$21m) stolen. The drainer already transferred most of the stolen $ETH to #eXch on #Ethereum pic.twitter.com/IZKbCclH8v

— PeckShieldAlert (@PeckShieldAlert) February 19, 2024

FixedFloat is a crypto exchange powered by the Bitcoin Lightning network claiming to be completely automated. It facilitates crypto swaps without the need for user registration or know-your-customer (KYC) verification.

Web3 threat researcher ‘Officer’s Notes’ did a little more digging and said that in addition to multiple deposits for eXch, the FixedFloat Drainer also transferred stolen funds to HitBTC.

“Perhaps FixedFloat Drainer thus simply decided to confuse its trail by framing the innocent owner of these deposit addresses,” they theorized.

“Anything is possible. I don’t see any addresses (other than the hacker’s address) that link these 2 HitBTC deposit addresses (when analyzing ETH and token transactions). Most likely, the hacker created only a false trail.”

Due to its anonymous nature, FixedFloat is often used as a coin mixer to obfuscate a transaction trail.

Crypto Exploits Continue

According to the De.Fi Rekt database , there have already been several large crypto exploits and hacks this month.

On Feb. 9, gaming and metaverse platform PlayDapp lost $32 million in an access control exploit.

A few days later, on Feb. 13, Duelbits suffered a similar access control exploit, resulting in a loss of $4.6 million.