Dexible: Unvalidated router — selfSwap() transferFrom injection via approval drain
Dexible's unaudited selfSwap() function let attackers pass any token contract as a DEX router, draining $2M from users with standing approvals on Ethereum and Arbitrum.
Summary #
Dexible suffered a DEX Aggregator on 2023-02-17, resulting in a loss of approximately $2M.
What happened #
Dexible's unaudited selfSwap() function let attackers pass any token contract as a DEX router, draining $2M from users with standing approvals on Ethereum and Arbitrum.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited code]
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — v2 contracts introduced the selfSwap() function days before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — v2 contracts introduced the selfSwap() function days before exploit]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown / not mentioned]
- RD-F-096 — illustrative : New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: None identified — the attack harvested existing approvals with no preparatory on-chain footprint beyond the attacker being funded]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — v2 contracts introduced the selfSwap() function days before exploit]