FixedFloat Crypto Exchange Hit by $2.8 Million Exploit

FixedFloat, an automated cryptocurrency exchange, reportedly lost $2.8 million due to an exploit targeting its hot wallet. CyversAlerts detected suspicious transactions and traced the stolen funds to a suspicious address that received various digital assets. The perpetrators exchanged the assets into Ethereum and transferred them to the eXch exchange. Access control flaws may have enabled the hack, similar to a previous incident in February where FixedFloat lost $26 million.

FixedFloat Crypto Exchange Suffers Major Exploit, Losing $2.8 Million

San Francisco, California, April 2, 2024 - FixedFloat, a fully automated cryptocurrency exchange, has become the victim of a significant exploit, resulting in the theft of $2.8 million from its hot wallet on the Ethereum blockchain. The incident was first reported by CyversAlerts, a blockchain security monitoring firm.

Funds Transferred to Suspicious Address

According to CyversAlerts, the perpetrators withdrew the funds from FixedFloat's hot wallet to a suspicious address. The address subsequently received Ethereum ($ETH), Tether ($USDT), Wrapped Ethereum ($WETH), Dai ($DAI), and USD Coin ($USDC).

Asset Swaps and Funds Movement

The suspicious address then executed asset swaps into Ethereum via decentralized exchanges before funneling the entire funds into the eXch exchange. Notably, hot wallet operations ceased abruptly after the incident, and the company's website is currently undergoing maintenance, leaving users uncertain about the status of their assets.

Access Control Issue Suspected

Cyvers Alerts has suggested that the security breach at FixedFloat resembles a previous hack on February 16th, which also targeted the platform's access controls. In both incidents, unauthorized access to the hot wallet led to the withdrawal of substantial funds ($2.8 million and $26 million, respectively).

Pattern of Exploitation

Cyvers Alerts observed that blacklisted tokens like USDT and USDC were swiftly swapped to avoid being frozen, while DAI was directly deposited to eXch without conversion. This pattern suggests that the attackers specifically targeted the system's access controls for exploitation.

Tether Blacklists Addresses

In a subsequent development, Tether has blacklisted seven addresses associated with the FixedFloat exploit, resulting in the withdrawal of a total of 280,000 USDT from the platform.

Previous Security Breach

This incident is not the first security breach reported at FixedFloat. On February 16th, the platform experienced a separate breach resulting in a loss of $26 million, again attributed to an access control issue. The stolen funds were distributed across multiple addresses and laundered through the eXch exchange.

About FixedFloat

FixedFloat is an automated crypto exchange that does not require user registration or Know Your Customer (KYC) verifications. According to data from SEMrush, approximately 26% of its web traffic originates from the United States.

Investigation Ongoing

Law enforcement and blockchain security experts are currently investigating the FixedFloat exploit. The full extent of the damage and the identities of the perpetrators remain unknown.

Financial Impact on Users

The incident has had a significant financial impact on FixedFloat users, who are currently unable to access their assets due to the suspended operations of the hot wallet. The company has yet to provide any updates on the recovery process or the extent of the losses incurred.

Security Implications

The FixedFloat exploit highlights the ongoing security challenges faced by cryptocurrency exchanges. The incident underscores the importance of robust access controls, secure storage practices, and vigilant monitoring to prevent unauthorized access and protect user funds.