Fixed Float seizes $200,000 of ether from the Curve hack

Quick Take

  • Fixed Float said it froze $200,000 of stolen ether that was stolen from the decentralized exchange Curve.
  • The attacker attempted to launder the stolen funds by transferring it to Fixed Float.
 

Cross-chain exchange Fixed Float said it froze 112 ether ($200,000) that was stolen in a front-end exploit on the decentralized exchange Curve.

On Tuesday, Curve Finance had its front end compromised with a Domain Name Service (DNS) spoof. The perpetrator redirected users, asking them to approve a malicious contract. This attack stole more than $612,000 in stablecoins and swapped them to ether (ETH), per security firm CertiK.

Following the theft, the attacker attempted to launder the stolen funds by transferring it to Fixed Float. This is a (mostly) decentralized exchange based on the Lightning Network, which offers swaps between ether and bitcoin.

The attacker likely hoped to obfuscate their on-chain traceability by leveraging an atomic swap from Ethereum to the Lightning channel-based exchange. However, Fixed Float is not fully decentralized as the hackers may have hoped. The DEX acted quickly and was able to seize a portion of the assets.

“Our security department has frozen part of the funds in the amount of 112 ETH,” Fixed Float said on Twitter.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Usually hackers funnel all of the stolen assets through Tornado Cash, a popular mixer on Ethereum which allows them to obfuscate their transfers. In this Curve exploit, though, hackers tried to limit the use of Tornado Cash and only a small amount of stolen ETH was sent there. 

According to Ryan Wegner, lead security engineer at Polygon, the hacker transferred 242 ETH to Fixed Float. The hacker sent only a small amount to Tornado Cash, roughly 26 ETH. A further 23 ETH were transferred to Sideshift, a non-KYC crypto exchange.

Fixed Float did not immediately respond to The Block's request for comment.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]