FixedFloat has been hacked (26M $)

[DaveF]

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Saw this when I went to do a small swap of some alts I found a paper wallet for when cleaning up and didn't want to be bothered finding an exchange that actually traded them and setting up an account and so on....

-Dave

[1714548542]

1714548542

[1714548542]

1714548542

[1714548542]

1714548542

[shield132]

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Saw this when I went to do a small swap of some alts I found a paper wallet for when cleaning up and didn't want to be bothered finding an exchange that actually traded them and setting up an account and so on....

-Dave

You might won't believe but local bank in my country was offering crypto exchange service via a child company and the child company was really using an API of other exchanges to make the trades. They fixed it once they became popular.
Btw when I visit fixedfloat.com it redirects to ff.io <-- I bet that they want to make this accident look like they didn't experience any hack at all and all of this happens because they purchased a new domain and want to move whole database on a new one.

[arabspaceship123]

They aren't supposed to hold funds after they're exchanging. They should've sent swapped funds to destination addresses so how's $26M stolen?

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Saw this when I went to do a small swap of some alts I found a paper wallet for when cleaning up and didn't want to be bothered finding an exchange that actually traded them and setting up an account and so on....

-Dave

[LoyceV]

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Now that you mention it: I also thought that's how they operate, especially since they have a fixed and dynamic fee rate.
But withdrawal fees of most exchanges are a problem for that business model. Unless they get a custom deal, most exchanges charge far more to withdraw than an instant exchanger can earn from small trades.
It would make sense to only handle large transactions through a CEX, and handle small ones by themselves. That way they'd only need $26k instead of $26M in their hot wallet.

[Synchronice]

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Now that you mention it: I also thought that's how they operate, especially since they have a fixed and dynamic fee rate.
But withdrawal fees of most exchanges are a problem for that business model. Unless they get a custom deal, most exchanges charge far more to withdraw than an instant exchanger can earn from small trades.
It would make sense to only handle large transactions through a CEX, and handle small ones by themselves. That way they'd only need $26k instead of $26M in their hot wallet.

Many exchanges have fixed and dynamic fees, I think this gives them the possibility to charge you more percentage during trade while protecting you from slight volatility that god knows whether happens or not.
By the way, if it's possible to create an exchange via API, then how do they deal with high risk deposits?
Let's say that:
A is an instant exchange
B is a big exchange that gives API to A

How does B deal with high risk deposits that comes from someone sending dirty coins to A instant exchange? Does B send a request to A to tell its user to submit KYC documents? Or how does it happen?

Seems, fixedfloat is live but some browsers warn me that fixedfloat is dangerous to visit:

Attackers on the site you're trying to visit might trick you into installing software or revealing things like your password, phone, or credit card number. Chrome strongly recommends going back to safety.

Karma exists!

[LoyceV]

if it's possible to create an exchange via API, then how do they deal with high risk deposits?
Let's say that:
A is an instant exchange
B is a big exchange that gives API to A

How does B deal with high risk deposits that comes from someone sending dirty coins to A instant exchange? Does B send a request to A to tell its user to submit KYC documents? Or how does it happen?

I've seen topics about it: Basically, A claims B froze their funds based on arbitrary conditions (despite A claiming in their terms they use their own funds), and A makes up arbitrary terms for the user to get back their funds. It doesn't make much sense. The whole "freezing" and "dirty" is BS anyway, exchanges would gladly send those funds to other users again:

The funds remain frozen at our addresses, and when the frozen funds are seized by the authorities, they are also sent from our addresses.

That's not true. You say the funds "remain frozen", but that can't be since you've mixed them already.
The first transaction was mixed in this transaction and that same output was used to sent to another address. The second transaction was mixed in this transaction and also sent to another address. None of the funds were frozen in your wallet, you're normally using them to pay other people.
To summarize: if those funds came from criminal activity as you claim, you've now sent it to other innocent users who now own those "tainted" Bitcoins.
It sounds very much like you only care about "taint" when it's convenient for you.

[DaveF]

I was always under the impression that sites like this didn't even store user funds.
Don't know why but, I was thinking they were just using the APIs of other exchanges to make the trades and skimming a small % off the top to make their profit.

There were a few of them in the past that operated that way. Put together a pretty interface, no real KYC, and just take a small cut.

Now that you mention it: I also thought that's how they operate, especially since they have a fixed and dynamic fee rate.
But withdrawal fees of most exchanges are a problem for that business model. Unless they get a custom deal, most exchanges charge far more to withdraw than an instant exchanger can earn from small trades.
It would make sense to only handle large transactions through a CEX, and handle small ones by themselves. That way they'd only need $26k instead of $26M in their hot wallet.

Once again as an assumption, I had in my mind that they lack of withdraw fess was covered by the rates that were not that good.
I *know* that is how a couple of other places worked.

The rate you saw was what you would get if you went to a full regular exchange minus the withdraw fee minus their cut.

I know that when I was moving some forked BCH that I had with them last year I followed the coins to some other exchange. The BTC I got back was from a small wallet, no idea who's it was.

-Dave

[Yamane_Keto]

https://fixedfloat.com service is partially back, trading pairs such as Bitcoin, Ethereum, and Monero are still temporarily suspended, only a few tokens besides LTC are allowed.

February 27, 2024

Their description of the hack indicates that the security structure allowed hackers to access the basic functions of the service. It is a complete failure and appears to be access to cold storage

--

--

I did not find an official statement from them. I read some articles that talked about the reason and it seemed, as I mentioned, a complete failure of the system, as one of the articles mentioned that private key exploit.

On-chain Details show that the attack lasted for more than two hours. The hackers emptied their ETH balance first, and then after an hour, the same thing was repeated for Bitcoin, for more than half an hour. In both cases, the damage could have been mitigated, as the Bitcoin wallets were emptied after more than an hour from the suspicious movement of ETH wallets.

FixedFloat Exploit

[dkbit98]

https://fixedfloat.com service is partially back, trading pairs such as Bitcoin, Ethereum, and Monero are still temporarily suspended, only a few tokens besides LTC are allowed.

They came back faster than I expected, and after reading their latest blog posts I can say they had very poor protection, and slow reaction to initial hack.
According to their twitter account they are now making a planned transition to new short domain ff.io:
https://twitter.com/FixedFloat/status/1761267221051977842

[FinneysTrueVision]

It seems like they were probably hacked again. Their website went offline some hours ago. Millions in ETH, stablecoins, and BNB has been transferred from their hot wallets and some of it has been swapped using eXch.



The ETH wallet 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F was the same one that was hacked in February.

[stompix]

The ETH wallet 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F was the same one that was hacked in February.

Waaaaiiit a minute!

Let's assume they were not hacked this time until confirmation but! they are still using the same hot wallet the same address that was hacked last time? They didn't even change that and they were up and running like nothing happened? They didn't even mention what went wrong the first time, the services were not fully back but they kept using the same system and the same addresses? Common, this is unbelievable!

 

[LoyceV]

Let's assume they were not hacked this time until confirmation but! they are still using the same hot wallet the same address that was hacked last time?

My speculation: maybe the wallet wasn't compromised, but the rest of the system. Like: someone made it look as if they made a transaction without making a deposit, after which the payment was sent.

[dkbit98]

It seems like they were probably hacked again. Their website went offline some hours ago. Millions in ETH, stablecoins, and BNB has been transferred from their hot wallets and some of it has been swapped using eXch.

This hack is now officially confirmed on FixedFloat twitter account.
I can't believe this is actually happening in the same way like last time, and something seriously stinks here.
It sounds to me like there is some information leak from inside this exchange.

On April 1, we were again attacked by the attackers who were behind the February 16 hack. The attackers did not stop there and continued to use various methods to try to hack our service again. Thanks to the enormous work done to improve the security of our infrastructure, we were able to successfully repel their attacks and continue to work.

However, despite all our efforts, unfortunately, hackers managed to discover a vulnerability of a third party whose services we use. Although such third-party attacks are beyond our control, we take all necessary measures to strengthen the security of our service and will work to prevent similar incidents in the future.

We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected. We also want to emphasize that FixedFloat does not perform the functions of a custodial service, that is, it does not store user funds.

We are currently in the process of an active investigation. Details of the incident cannot yet be disclosed due to the ongoing investigation.

https://twitter.com/FixedFloat/status/1775172224216875223

[stompix]

My speculation: maybe the wallet wasn't compromised, but the rest of the system. Like: someone made it look as if they made a transaction without making a deposit, after which the payment was sent.

Let's assume that would be true, now which one of the old crypto users who has been around for years and knows about security would just say, we know what the bug is, the rest is safe, let's keep the same wallet that was drained because changing one line is way too complicated 
They got lazy at least to say, that, if the second hack is a hack at all.

This hack is now officially confirmed on FixedFloat twitter account.
I can't believe this is actually happening in the same way like last time, and something seriously stinks here.

Stinks is underestimating this, I read that twice and I still can't understand  a few things:

Thanks to the enormous work done to improve the security of our infrastructure, we were able to successfully repel their attacks and continue to work.
However, despite all our efforts, unfortunately, hackers managed to discover a vulnerability of a third party whose services we use

This seems like successfully repelling all the attack on all fronts while losing all your army and retreating 200 miles.
Then:

We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected.

So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!!
The first one might have been a genuine hack, this one sounds like an exit...s word!

[DaveF]

Yeah, something is not right.
Or, and this is just a guess the original hack was worse then they thought it was and they had more access to the systems then FF thought so they just had to wait for wallets to be refilled and do it again.

Shrug, whatever, so long as no user funds were lost then it's an internal issue. If you don't take security seriously then that's on you.

Should have been down for weeks while every line of code was checked.


If it really was a 3rd party that was at fault, then why would ANY 3rd party have access to your hot wallets....

-Dave

[arabspaceship123]

They've lost $26M in hot wallets so we've got to know if they're being targeted by outside hackers or inside info helping inside hackers. They haven't told ppl because they're investigating. FixedFloat weren't well known before their hacks now ppl are talking about them for the wrong reasons.

[dkbit98]

This seems like successfully repelling all the attack on all fronts while losing all your army and retreating 200 miles.

Whatever they did to ''improve'' their service now made them look like a bunch of amateurs.  
This sounds like a classic backdoor access to me, building taller walls won't help to protect you from this.

So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!!
The first one might have been a genuine hack, this one sounds like an exit...s word!

Maybe, but whenever I hear the story about evil hackers I have doubts if they really exist or if they exist who hired them.

Should have been down for weeks while every line of code was checked.

Exactly.
If first hack happened and I was the owner of FF, I would never continue to work and get back so quickly like they did.

[examplens]

Should have been down for weeks while every line of code was checked.

Exactly.
If first hack happened and I was the owner of FF, I would never continue to work and get back so quickly like they did.

They needed to be robbed twice to accept the seriousness of the situation, now they have been in maintenance for 8 days. I wouldn't bother checking the old code, it's probably safer for them to start everything from scratch.

Did they announce somewhere what the amount is in this second incident?

[RickDeckard]

Did they announce somewhere what the amount is in this second incident?

A security research firm told Coindesk[1] that there were suspicious transfers of around ~ 3 million ETH. I have just checked the website and it continues in maintenance mode so I guess that they haven't solved the problem. According to a recent tweet of them[2] they were once again attacked by the same group:

On April 1, we were again attacked by the attackers who were behind the February 16 hack. The attackers did not stop there and continued to use various methods to try to hack our service again. Thanks to the enormous work done to improve the security of our infrastructure, we were able to successfully repel their attacks and continue to work.

However, despite all our efforts, unfortunately, hackers managed to discover a vulnerability of a third party whose services we use. Although such third-party attacks are beyond our control, we take all necessary measures to strengthen the security of our service and will work to prevent similar incidents in the future.

We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected. We also want to emphasize that FixedFloat does not perform the functions of a custodial service, that is, it does not store user funds.

We are currently in the process of an active investigation. Details of the incident cannot yet be disclosed due to the ongoing investigation.

[1]https://www.coindesk.com/markets/2024/04/02/bitcoin-lightning-exchange-fixedfloat-sees-suspicious-transfers-of-3m-to-ethereum-tron/
[2]https://twitter.com/FixedFloat/status/1775172224216875223

[logfiles]

We would like to emphasize that financial losses affected only our service; hackers stole funds to ensure the liquidity of the service, that is, the company’s funds and user funds were not affected.

So those were not customer money nor company funds, was it the hacker's own money, or what cause if somebody provided liquidity for your company then it's your company money, and you're going to have to pay it back!!!!
The first one might have been a genuine hack, this one sounds like an exit...s word!
[/quote]I had a laugh when I also read that part. Like if the $26M+ is not customer's money nor company's money. Then whose money is it? 
Did someone just stash it in the address that just happen to be fixedfloat's and then hackers came in and stole it?

I think it's just a matter of time before we get an announcement that they are shutting down, or they will probably stay in maintenance mode indefinitely.