- FixedFloat, a non-KYC crypto exchange, lost over $26 million due to a hack, affecting 409 BTC and 1,728 ETH.
- Initial reports mistook the hack for “minor technical problems” until user 0xJosh highlighted the severe security breach.
- Despite the hack, FixedFloat claims user funds are safe, stressing their non-custodial nature and promising to address pending payments.
A hack targeted a decentralized, non-KYC cryptocurrency exchange, resulting in a loss of over $26 million. The exchange, FixedFloat, which facilitates the trading of Bitcoin and other cryptocurrencies in a decentralized and anonymous manner, reported this significant financial setback. The hack led to the loss of 409 BTC and 1,728 ETH.
Community members first brought the issue to light on February 17, mentioning that the platform was undergoing forced maintenance and that transactions were taking longer than usual. It was only an hour later that the FixedFloat team responded, stating there were “some minor technical problems.” Maintenance on the platform was ongoing at that time.
However, the situation took a dramatic turn when 0xJosh, a user known on X, raised the alarm about the situation being a hack. In a post, he stated, “FixedFloat just got exploited/the developer ran away with 1,700 ETH yesterday, and the team is calling it ‘some minor technical problem’ — crazy.”
In a conversation via X direct messages, 0xJosh shared his discovery process —
“I was mainly focusing on researching other chains, and I stumbled upon FixedFloat, and I saw that a lot of users who made transactions hadn’t received their money. This piqued my curiosity, so I took a closer look and, lo and behold, their funds were gone.”
0xJosh
He pointed out the ambiguity of the situation, suggesting it was uncertain whether this was an external breach or an inside job, and recommended waiting for an official explanation from FixedFloat.
Responding to these concerns, the FixedFloat team clarified in an email that the breach was indeed an external attack, not an insider incident. “The recent hacking of our system was not carried out by our employees; it was an external attack caused by vulnerabilities in our security structure. The limited information we can share at the moment is that the problem was in our infrastructure, which was compromised due to flaws and insufficient protection,” they stated, shedding light on the nature of the security breach.
The security breaches enabled unauthorized access to several functionalities of the service, as disclosed by FixedFloat. However, details about the incident remain limited due to the ongoing investigation. The team has committed to providing a comprehensive report once the investigation concludes.
Despite the significant financial impact, FixedFloat reports that the breach leaves them with outstanding payments for only about 30 customer orders. They assured that these payments would be processed as soon as the platform is securely operational again.
FixedFloat has also made it clear that the hack did not compromise user funds directly. They emphasized that their platform does not act as a custodian for user assets, meaning they do not store users’ funds on their service.
The aftermath of the hack saw the illicit movement of assets, with a user known as officer_cia on X reporting that the majority of the stolen ETH was funneled into eXch, a centralized mixing service utilizing thorswap on Ethereum. Additionally, the siphoned BTC was observed to be scattered and laundered through Whirlpool, a mixing service provided by Samourai Wallet, and TradeOgre, a non-KYC exchange.
In light of these events, 0xJosh advises caution when engaging with smart contracts, especially on decentralized exchanges like FixedFloat. He suggests ensuring that any smart contract is audited by a reputable security firm to mitigate, although not completely eliminate, the risk of vulnerabilities.
