The FixedFloat April Hack: Comprehensive Analysis and Insights

Source: https://x.com/FixedFloat/status/1775172224216875223
CAMS link: https://portal.sentinelprotocol.io/cams-dashboard/57dfd5d2-942b-44ac-9600-7adcf6578a08

On February 16th, 2024, the crypto exchange FixedFloat experienced a significant security breach, resulting in a loss of $26 million. Just weeks later, on April 1st, 2024, a second breach was detected. This incident involved the unauthorized transfer of various digital assets, including ETH, USDT, WETH, DAI, and USDC, leading to an additional loss of $2.80 million.

Our in-house research team at Uppsala Security examined the second part of the incident, which took place in the first half of April, using in-house built tools such as the Crypto Asset Monitoring Service (CAMS) and the Crypto Analysis Transaction Visualization (CATV). These tools provided more insights and helped break down the malicious actors’ activities and funds movement.

Part 1: Incident Description and Overview

On April 1st, 2024, FixedFloat suffered another hack. The hack was purportedly carried out by the same group of hackers who attacked the decentralized exchange on February 16th, 2024. The hacker’s wallet has been identified as 0xFA0200A7b73F2B36D14815336483039ecC6dea8b, which has received many outgoing transactions from the FixedFloat wallet.

The graph below was generated by our Crypto Asset Monitoring Service (CAMS) tool. This tool visualizes the flow of transactions from FixedFloat to the hacker’s wallet (0xFA0200A7b73F2B36D14815336483039ecC6dea8b) and eventually to eXch/Automatic Cryptocurrency Exchange, a decentralized exchange.

Image 1: Transaction Flow of the FixedFloat April Hack, generated with Uppsala Security’s Crypto Asset Monitoring Service (CAMS) tool

Part 2: Transaction Flow from FixedFloat to Hacker Wallet

The list of withdrawal transactions made by the hacker on the FixedFloat account are as follows (TXID, Amount, Token):

A Google Spreadsheet containing the above TXIDs can be accessed here.

As a result of the list of transactions above, 0xFA0200A7b73F2B36D14815336483039ecC6dea8b obtained a total of 155.7879878 ETH, 1,387,508.56 USDT, 402,254.39 USDC, 70.8044058 WETH and 238,941.23 DAI.

Part 3: Swapping of ERC20 tokens to ETH

The following ERC20 tokens were swapped to ETH via multiple transactions on Uniswap (TXID, Amount Swapped In, Amount Swapped Out):

A Google Spreadsheet containing the above TXIDs can be accessed here.

This brings the total ETH balance of the hacker wallet to 716.8598936 ETH (155.7879878 + 28.9858 + 58.0048 + 257.6408 + 87.5903 + 58.0458 + 70.8044058).

This also leaves 100,000 USDC and 239,275.83 DAI, which were not swapped.

Part 4: Flow of funds to eXch / Automatic cryptocurrency exchange

100,000 USDC and all 238,941.23 DAI were sent to 0xaeC73DCA60F5Ca32c603A7cd6Ffba4fbaF17fd55, then to eXch / Automatic cryptocurrency exchange , a decentralized exchange through the following TXIDs:

DAI Flow (238,941.23 DAI):

TXID 1: 0x11188714ae80f63797f2a2a4d40f6ab112cd1249f9bfb28bcba72b59ca3fff48

From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0xaeC73DCA60F5Ca32c603A7cd6Ffba4fbaF17fd55

TXID 2: 0xebf30d73f3f8f1d58e4b51797d3cace70028bc0617a59dae9e14005558873da9

From 0xaeC73DCA60F5Ca32c603A7cd6Ffba4fbaF17fd55 to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )

USDC Flow (100,000 USDC):

TXID 1: 0xc7698a5e27fd29486aa6ea50e6b1854ff7a430d6417bebd4cdcb68cf21cc3d88

From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0xBd856Af6661748E76Ea6b4824874551F09CA1068

TXID 2: 0x7054f76d39efa7e890776019b253b1e973acdc7bf972ba67b890ff1eed90988a

From 0xBd856Af6661748E76Ea6b4824874551F09CA1068 to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )

The hacker also transfers the ETH to two separate wallets before finally sending them to eXch / Automatic cryptocurrency exchange . The flow of transactions is documented below.

ETH Flow 1:

TXID 1: 0x677e71f053d1aa13e197a0f7f732a12d11aaa9c81a34bfdb9d7f3713ebed52c9

From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0xaeECB06C70EF1949693E1936Bd626cdf348c294b

TXID 2: 0x7c6aefb7f1f1ad4cf0426440720389456cdf1813e82e62362b04b61765ceef01

From 0xaeECB06C70EF1949693E1936Bd626cdf348c294b to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )

ETH Flow 2:

TXID 1: 0xbfce45ef5d0790fedcfc973a2f1e5decf82a476f3ae7e8dbd489e8fa43869ca4

From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0x9eFB278F1bBdf3c47ADC6cD81EbFb7Fc060f25b6

TXID 2: 0x5b59a221949f213cddd2ab93ac3c5fc2b5e2ca75e1c92d4c84dcac3dd6cdd2bb

From 0x9eFB278F1bBdf3c47ADC6cD81EbFb7Fc060f25b6 to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )

To stay updated with the latest details about the FixedFloat incident and other significant events affecting the Web3 ecosystem, please subscribe to our Medium and follow us on Twitter. If you’re eager to put your investigatory skills to work, check out Chainkeeper, our newest AI powered release currently in Beta. Our team is here to support your investigations and can be reached anytime at info@uppsalasecurity.com.

About Uppsala Security

Uppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers both end-users and organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.

Uppsala Security is headquartered in Singapore and has branch offices in Seoul, South Korea. Follow Uppsala Security on LinkedIn, Twitter, Facebook and Medium.