In February 2024, FixedFloat, a cryptocurrency exchange that operates without Know Your Customer (KYC) and Anti-Money Laundering (AML) protections, was the victim of a hack. The attackers stole an estimated $26.1 million in Bitcoin and Ether from the project.
Inside the Attack
Initially, the FixedFloat hack was believed to be an insider attack or rug pull. The only indications of the hack were that cryptocurrency was transferred from addresses associated with the project to attacker-controlled ones. However, the team behind the project denied this and claimed that the transfers were performed by a third party exploiting vulnerabilities and security gaps in its infrastructure. These gaps allowed the attacker to access sensitive functionality within the protocol.
If performed by an external party, the incident appears to have been a private key theft. There is no sign of exploitation of the protocol’s smart contracts. Also, the issues with the protocol’s infrastructure could also refer to its protection of private keys.
The exact details of the FixedFloat hack are still unknown, even several days after it occurred. The team put the project in maintenance mode and, apparently, prioritized fixing vulnerabilities in its services over providing information to the public. Later, the project tweeted that it would provide information privately to journalists about the incident, but no public disclosure of the attack details has been made.
Lessons Learned from the Attack
FixedFloat’s handling of its security incident is largely a demonstration of what not to do in the aftermath of a hack in the DeFi space. The best-handled hacks to date have included frank, timely disclosures of details to customers as soon as is practical. While, in some cases, details may need to be concealed until a vulnerability is fixed, providing information promptly helps to decrease FUD and build trust in the project.
In the case of FixedFloat, the protocol froze the protocol before publicly acknowledging the hack, spurring accusations of a rugpull. Additionally, it claimed that it had no resources to provide information about what occurred, despite responding to Tweets and rolling out a new website. When information was provided, it was offered privately only to journalists in the form of responses to provided questions.
The FixedFloat hack demonstrates the importance of a robust security infrastructure that protects private keys and other sensitive aspects of a DeFi protocol. For more information about securing your project, feel free to get in touch with Halborn.