Fixed Float Hack
Incident Overview
FixedFloat cryptocurrency exchange was exploited, resulting in the loss of 409.304 BTC and 1,728.48 ETH worth approximately $26,130,157 USD.
FixedFloat, a cryptocurrency exchange platform, was exploited on February 16, 2024. The attacker stole approximately $26.1 million worth of Bitcoin and Ethereum. Most of the money stolen was on the Bitcoin chain, funds were distributed between multiple addresses.
The stolen funds on the Ethereum Mainnet were transferred to the eXch exchange through multiple addresses, with a small portion deposited into HitBTC. Additional clarifications regarding the incident were not disclosed by FixedFloat.
Attacker Addresses:
https://www.blockchain.com/btc/address/bc1q2skp47p9f5mr4n4m27k66v0l68gh3xdd7ad4e5
https://etherscan.io/address/0x85c4fF99…3Fa085
Funds Holder as of Feb 19, 2024:
https://etherscan.io/address/0x2c01cAB6…F22d8F
Malicious Transactions:
https://etherscan.io/tx/0x1faa4861…b4ece8
https://etherscan.io/tx/0x8f0bd0a0…6ce740
https://etherscan.io/tx/0x98226160…88df41
https://etherscan.io/tx/0x15f7ac31…e5da6d
https://blockstream.info/tx/9822616097948dab2048395c4d887dbb1f99273e5cc40de2d86639013588df41
https://blockstream.info/tx/15f7ac31837c8dba597f46359857205df1c41573c4bb489b5a81fd058be5da6d
HitBTC Deposit Transaction:
https://etherscan.io/tx/0xe717258e…889e69
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Fixed Float, these are the critical security checks that could have prevented this incident (February 2024).
- Verify all logic paths related to Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialPost-Incident Timeline
-
2024-04-02
Apr 2, 2024 $2.8M was withdrawn from FixedFloat's hot wallet on the $ETH chain. FixedFloat team has announced that "On April 1, we were again attacked by the attackers who were behind the February 16 hack. The attackers did not stop there and continued to use various methods to try to hack our service again."
Related Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
- 01
-
02
Web Archive https://archive.is/7ObTi
Learn to Prevent the Next Fixed Float
The Fixed Float hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.