On February 17, 2023, the trading app Dexible lost approximately $2 million when an attacker exploited the selfSwap function, which made an arbitrary external call using user-supplied router address and calldata without validation. The attacker pointed it at token contracts and called transferFrom against every wallet holding Dexible approvals.
What happened
selfSwap was designed to route trades through an arbitrary DEX router supplied by the caller. It did not restrict the target or calldata. The attacker invoked it with the target = a token contract and calldata = transferFrom(victim, attacker, balance), draining ~$2M from approval-granting wallets across Ethereum and Arbitrum.
Aftermath
- Dexible paused the contract and urged users to revoke approvals.
- The team published a post-mortem; partial mitigation followed.
Why it matters
Dexible is one of the purest instances of the "arbitrary external call with caller-controlled target" anti-pattern — structurally identical to Furucombo, Transit Swap, and LI.FI. Any approval-holding contract that lets the caller specify what contract to call and with what data is a universal wallet drainer for its users. The rule is absolute and constantly violated: never make an unvalidated external call from a contract that holds user approvals. Aggregator UX wants flexible routing; security requires an allowlist. The catalogue shows this exact trade-off being lost, the same way, year after year.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-dexible-hack-february-2023
- [02]blockapex.iohttps://blockapex.io/dexible-hack-analysis/
- [03]rekt.newshttps://rekt.news/dexible-rekt