- OKX’s decentralized exchange (DEX) aggregator was exploited for $2.7 million after its admin private key was reportedly leaked, allowing attackers to steal tokens.
- Security analysts confirmed the exploit resulted from a vulnerability in a deprecated smart contract on the DEX. The contract was upgraded to allow direct access to a token transfer function.
- OKX acknowledged the incident, revoked contract permissions, and is working to reimburse affected users. The exploit demonstrates risks of private key leaks and deprecated contract vulnerabilities.
OKX‘s decentralized exchange (DEX) aggregator appears to have suffered a $2.7 million exploit following a private key leak, according to security analysts. The attack may have resulted from the DEX’s admin private key being leaked. Shortly after, OKX confirmed a deprecated smart contract on the DEX had been compromised, promising to reimburse affected users.
Details of the Exploit
According to security firm SlowMist, users authorize token exchanges on the DEX via the TokenApprove contract. The DEX contract can then transfer these tokens by invoking TokenApprove’s functionality. A key component in this process is the DEX Proxy, managed by the Proxy Admin. The Proxy Admin Owner has the authority to upgrade the DEX Proxy contract, enabling it to call the claimTokens function of the TokenApprove contract for token transfers.
SlowMist said this attack may be a result of the Proxy Admin Owner’s private key being leaked. The current owner implemented a significant upgrade to the DEX Proxy contract on Dec 12 at 22:23 UTC. This upgrade altered the contract’s functionality, allowing it to directly call the claimTokens function of the DEX contract for token transfers – opening up a vulnerability that attackers exploited to steal tokens.
In a statement on Twitter, OKX said: “We regret to inform you that a deprecated smart contract on OKX DEX has been compromised. We have taken immediate action to secure all user funds and revoke the contract permissions. We are working with relevant agencies to locate the stolen funds and will reimburse affected users.”
Security analysts at PeckShield later confirmed the exploit, stating that it resulted in approximately $2.7 million worth of crypto assets stolen.
Blockchain analytics provider Arkham also confirmed the OKX DEX exploit. It suggested the attacker was tied to other exploits including LunaFi, Uno Re, and RVLT. Arkham offered a bounty for information to identify the hacker or lead to the return of funds.
The OKX DEX exploit demonstrates the risks associated with potential private key leaks and vulnerabilities in deprecated smart contracts. While OKX aims to reimburse affected users, the incident highlights the need for robust security practices and procedures to prevent such attacks. The ongoing investigations will likely provide more details on exactly how the exploit occurred.