FixedFloat Crypto Exchange Allegedly Exploited for $2.8M

FixedFloat, a fully automated cryptocurrency exchange, reportedly fell victim to a significant exploit resulting in the withdrawal of $2.8 million from its hot wallet on the Ethereum chain, as reported by CyversAlerts.

Reports indicate that the perpetrators transferred the funds to a suspicious address, which then received Ethereum ($ETH), Tether ($USDT), Wrapped Ethereum ($WETH), Dai ($DAI), and USD Coin ($USDC).

The suspicious address executed asset swaps into Ethereum via decentralized exchanges before funneling the entire funds into the eXch exchange. Subsequently, the hot wallet abruptly ceased operations, and the company's website is currently undergoing maintenance, leaving users in a state of uncertainty.

"The security breach at FixedFloat suggests an access control issue, similar to a previous hack on February 16,” Cyvers Alerts told BSCN. “In both incidents, unauthorized access to the hot wallet led to the withdrawal of significant funds ($2.8M and $26M, respectively).”

According to Cyvers Alerts, blacklisted tokens like USDT and USDC were swiftly swapped to avoid being frozen, while DAI was directly deposited to eXch without conversion. The pattern indicates that the system's access controls were targeted for exploitation.

Fresh reports reveal that Tether blacklisted seven addresses, resulting in the withdrawal of a total of 280K USDT from FixedFloat. 

‍

Previous Security Breach

This incident is not the first reported security breach encountered by FixedFloat. On February 16, the platform experienced a breach resulting in a loss of $26 million, attributed to an access control issue. More than 409.304 BTC and 1,728.48 ETH worth $26.1 million were drained in 9 transactions.

Hackers stole the funds on the Bitcoin chain and distributed them between multiple addresses.  They transferred the stolen funds on Ethereum to the same eXch exchange through multiple addresses. An analysis of the flow of funds suggested an address was compromised by a private key exploit.

FixedFloat is an automated crypto exchange that does not require user registration or Know Your Customer (KYC) verifications. Around 26% of its web traffic comes from users in the United States, according to data from SEMrush.