OKX DEX (decentralized exchange) saw a security lapse this Tuesday that has cost it between $400K to millions of dollars, according to reliable sources. The hackers appeared to penetrate people’s wallets by gaining access to smart contract administration keys which they upgraded to favor the despicable crime.
Responding to the security breach, OKX released a statement on its official X (formerly Twitter) handle, stating that they had the situation under control and will reimburse affected customers while the public awaits a thorough review on the evolution of the events.
“We regret to inform you that a deprecated smart contract on OKX Dex has been compromised. We have taken immediate action to secure all user funds and revoke the contract permissions. We are working with relevant agencies to locate the stolen funds and will reimburse affected users with $370k. A thorough review is underway to prevent similar incidents. Our apologies for any inconvenience caused,” said OKX on X.
The Attack May Be Due to the Leak of a Proxy Admin Owner’s Private Keys
Experts like SlowMist, blockchain security and auditing firm believe OKX’s security compromise was dies to the leak of a proxy admin’s private keys, which the impersonator used to upgrade the DEXproxy contract to allow them steal the funds.
Here’s how it works; the DEX contract transfers a user’s tokens by triggering the TokenApprove contract. The DEX contract also has a claimTokens function that allows a trusted DEX Proxy to make calls which trigger the claimTokens function of the TokenAprove contract, thus transfering authorized tokens from a user’s wallet.
According to SlowMist’s analysis, the crux of this attack is that the trusted DEX Proxy is managed by a Proxy Admin who can upgrade the DEX proxy contract. And it seems the Proxy admin mistakenly leaked their private keys, which the attackers got hold of to upgrade the DEX Proxy Contract and trigger the claimTokens function to siphon users’ funds.
“On December 12, 2023, at 22:23:47, the Proxy Admin Owner upgraded the DEX Proxy contract to a new implementation contract through the Proxy Admin. The new implementation contract’s functionality is to directly call the claimTokens function of the DEX contract to transfer tokens. Subsequently, attackers began calling the DEX Proxy to steal tokens. The Proxy Admin Owner upgraded the contract again at 23:53:59 on December 12, 2023, with similar functionality, and continued stealing tokens after the upgrade. As of now, the attacker has profited approximately 430,000 U.” said SlowMist
Full Scope of The Hack To Be Determined
Figures on the exact scope of the attack have been fluctuating between $370K to $2.7M, however, investigations are still ongoing to locate the stolen funds and OKX has promised in its official statement to return $370K to all affected users.
The OKX DEX attack follows a long list of similar hacks on crypto networks this year, including SafeMoon, CoinEx, Kyber Network, Krosnos research, Atomic Wallet, and lots of others. It is another wake-up call to beef up on-chain security and enhance private key management.