FixedFloat Exploit: Tracing the $26 Million Lost to the Hack

NEFTURE SECURITY I Blockchain Security
Coinmonks
7 min readFeb 23, 2024

--

Decentralized crypto exchange FixedFloat was exploited for $26 million on February 16th, 2024.

Hack Summary

On February 16th, the Fixed Float attacker stole approximately $26.1 million worth of Bitcoin and Ethereum in an undisclosed hack, although it’s suspected to be a private key exploit.

More than 409.304 BTC and 1,728.48 ETH worth $26,1 million USD were drained in 9 transactions (5 on Bitcoin Network and 4 on Ethereum Mainnet).

Funds stolen on the Bitcoin chain were distributed between multiple addresses, while the funds stolen on Ethereum were transferred to the eXch exchange through multiple addresses. This analysis is an in-depth study of the flow of funds post-hack.

Tracing The Stolen Funds

The Attack

  • There is no clear indication of how the attack was carried out yet. The Fixed Float team is reportedly investigating the security incident.
  • It is suspected that one of the address of the exchange was compromised due to a private key exploit.

On-chain Details

ETHEREUM BLOCKCHAIN—

The first attack transaction occurred at 09:05:23 PM and the last at 09:39:23 PM making it 34 minutes between the first and last attack transaction.

Attacker EOA I 0x85c4fF99bF0eCb24e02921b0D4b5d336523Fa085

Victim address (Fixed Float) I 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F

Attack Transactions I

Tx1 (Test transaction): 0,007 ETH Drained from FixedFloat contract

0x35abe36b7382376e67d98d8ac8f78ef29e32e0c420e23d6c9b2d7f91a7cb704e

Tx 2: 1076,78 ETH Drained from FixedFloat contract

0x1faa4861a2c32ceaa7c483e8dc91c18e3a9247bac7f2588903691a7a1db4ece8

Tx 3: 650 ETH Drained from FixedFloat contract

0x8f0bd0a0b25788a59d979a58ce4edfba8956679d7a10e1e6ce12ce945e6ce740

Tx4: 1,7 ETH Drained from FixedFloat contract 0x78d3a02a03a52f3d096a4fe98da7563388c91cfeedfd5ae4d52d284f12b59879

The stolen funds from Ethereum were transferred to multiple EOAs and to eXch, a centralized mixer to hide the trail of the stolen assets.

BITCOIN BLOCKCHAIN—

The first attack transaction occurred at 10:25:53 and the last attack transaction occurred at 10:45:29 so less than 20 minutes.

Attacker EOA I bc1q2skp47p9f5mr4n4m27k66v0l68gh3xdd7ad4e5

Victim address (Fixed float) I bc1qns9f7yfx3ry9lj6yz7c9er0vwa0ye2eklpzqfw

Attack Transactions I

TX1: 3,1 BTC ($162k)

5b77e01a8253b245d0ce3fd9fcfb3dffb88d49396c1a5553848cf1e05be08c68

TX2: 3,1 BTC ($162k)

31538ae0e280c65f2b02916b32d83f4d6f281f2d867e641c274469b416e015c3

Tx3: 3,1 BTC ($162k)

0fdf2946694046d1109120c67bc8d0c96977aca2f1777dea7841d89a64e42260

Tx4: 200 BTC ($10,5 millions)

15f7ac31837c8dba597f46359857205df1c41573c4bb489b5a81fd058be5da6d

Tx5: 200 BTC ($10,5 millions)

9822616097948dab2048395c4d887dbb1f99273e5cc40de2d86639013588df41

The stolen funds from the Bitcoin network were first sent to three EOA addresses.

The stolen tokens were distributed through different transactions:

  • Bitcoin EOA for 170,85 BTC

bc1q04yvaefxyan4fuygsv4nr08pxet8ae426dxxf3

  • Bitcoin EOA for 38,45 BTC

bc1qp6gjx8par8e83lfqnem5q049x2qfpydfg27tjf

  • Bitcoin EOA for 200 BTC

bc1qmrqgrusknj7zzhh5r975a7d6espsukgts805ns

The Flow of Funds

In the investigation of the exploit, the analysis of the stolen funds reveals a complex web of transactions aimed at obfuscating the trail left by the attacker.

Notably, two distinct flows emerge from the analysis, each representing a strategic maneuver employed by the perpetrator to obscure their actions.

First Flow : Main Flow

The primary flow encompasses transactions and addresses associated with the highest volume of stolen assets. This route serves as the central artery through which the bulk of the stolen funds traverse. It is characterized by a series of intricate transactions orchestrated by the attacker, designed to launder and disperse his gains across various wallets and platforms.

By focusing on this main flow, we tried to unravel the intricate network of transfers and identify pivotal nodes that facilitate the movement of funds. The complexity of this flow underscores the sophistication of the attacker’s tactics and necessitates meticulous scrutiny to trace and mitigate the impact of the exploit.

  • 409,3 BTC were drained by Fixed Float Drainer bc1qmrqgrusknj7zzhh5r975a7d6espsukgts805ns
  • 370,85 were sent to Fixed Float Exploiter 1: bc1qmrqgrusknj7zzhh5r975a7d6espsukgts805ns
  • 370,75 BTC were sent to Fixed Float Exploiter 2 bc1qgl3m46gxmqnqzvleqx3pax5nw7qcs9zzuw2ypl

→ 273,11 BTC were sent to Fixed Float Exploiter 3 bc1qw0g4y5nlfh6yydpy5p5l9392jz6wcf3md24z4s

→ 97,64 BTC were sent to bc1qvm4h7efp0lt4purnu6juk4348tm938sn3af82n

  • 263,11 BTC were sent to Fixed Float Exploiter 4 bc1q33kugreujqk5xxsn6l5m5matrzypvp48z96c4y
  • From Fixed Float Exploiter 3 to the Fixed Float Exploiter 11, where 202 BTC remains as of February 20th, all the transactions followed the same path. For each stolen funds transferred, we see a pattern where two new bitcoin wallets are created and for each:

→ 10 BTC are transferred to a Secondary Wallet

→ The remaining BTC balance are transferred to another Main Wallet.

  • The same pattern keep on being reproduced 9 times until 202 BTC were sent to Fixed Float Exploiter 11 where the stolen funds remain as of February 20th.

You can see the flow of funds below with the 10 BTC transfers to secondary wallets in Yellow, and the transfers of the rest of the BTC balance to Main wallets in Blue.

Second Flow: Dispersion

In contrast, the dispersion flow involves the transfer of specific assets, such as the 97.64 BTC from Fixed Float Exploiter 2 to Fixed Float Exploiter 2–1. Unlike the main flow, which deals with the overarching movement of stolen assets, this secondary flow targets discrete transactions aimed at dispersing funds to obscure destinations.

Here the attacker employs a tactic of fragmentation, channeling portions of the stolen assets through separate pathways to dilute the traceability of the funds. By isolating and tracking these dispersed flows, we uncovered additional layers of the attacker’s strategy, shedding light on their complex methods.

In this flow, we follow the 97,64 BTC that were from Fixed Float Exploiter 2 to Fixed Float Exploiter 2–1

  • Fixed Float Exploiter 2–1 sent the same amount of Bitcoin 0,50000663 BTC to 72 distinct addresses
  • Each of the 72 addresses sent to 8 new addresses the same amount of 0,0625079 BTC

Fixed Float Exploiter 2–1 orchestrated the dissemination of 0.50000663 BTC across a staggering array of 72 distinct addresses. Subsequent to this initial distribution, each of the 72 addresses then propagated the assets to eight additional addresses, each receiving 0.0625079 BTC.

  • Out of the 576 addresses created, we identified two different address typology: holding addresses and transit addresses.

Holding Addresses. These addresses exhibited a uniform balance of 0.5 BTC, equivalent to approximately $26.1k, derived from 7 to 10 Transfer in transactions originating from the transit addresses. As of the most recent analysis conducted on February 20th, the stolen funds remain sequestered within these wallets.

Example of a holding address

Transit addresses. They are characterized by a distinctive final balance of 0 BTC tokens. These addresses serve as pivotal nodes within the intricate web of transactions orchestrated by the perpetrator. Notably, transit addresses exhibit a notable pattern of numerous BTC transfer out transactions directed towards the identified newly created attacker addresses (aka holding addresses).

Example of a transit address

The wallets associated with the exploiter have already been labelled in Nefture’s tools — allowing exchanges and other service providers to identify whether they are receiving the proceeds of this hack.

Timeline Post-exploit

  • February 16th: Fixed Float announce they have a “technical issue”

Initially, the team attributed the massive outflows to “minor technical problems” and put its systems on maintenance.

  • February 18th: Fixed Float confirms the hack

Two days after the exploit, the team acknowledged the exploit.

“We confirm that there was indeed a hack and theft of funds. We are not yet ready to make public comments on this matter, as we are working to eliminate all possible vulnerabilities, improve security, and investigate. Our service will be available again soon. We will provide details on this case a little later.” — Twitter Announce from Fixed Float

  • February 20th: Fixed Float services remains unavailble

As of February 20th, their services are still not available at press time of this writing. In addition, the exchange’s website is currently showing an error message on all pages.

All pages of the FixedFloat website currently display an error message. Source: FixedFloat.

The wallets associated with the exploiter have already been labelled in Nefture’s tools — allowing our clients to stay safe.

About Us

Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols, and asset managers from significant losses or threats through its monitoring tools.

Nefture’s core services include Real-Time Crypto Transaction Security and a Threat Monitoring Platform that provides accurate exploit detections and fully customized alerts covering hundreds of risk types, with clear expertise in DeFi.

Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions that mitigate threats and ensure the security of their wallets and transactions.

--

--

Coinmonks
Coinmonks

Published in Coinmonks

Coinmonks is a non-profit Crypto Educational Publication.

NEFTURE SECURITY I Blockchain Security
NEFTURE SECURITY I Blockchain Security

Written by NEFTURE SECURITY I Blockchain Security

Nefture secures crypto assets by detecting and mitigating malicious activities and system failures. - nefture.com