Nexo

Start Earning Up to 16% Interest Automatically

Learn More
Home » DeFi » OKX DEX hacked for $2.7 million after private key leak

OKX DEX hacked for $2.7 million after private key leak

by

The exchange has promised to reimburse affected users.

OKX DEX hacked for $2.7 million after private key leak

Share this article

A recently confirmed exploit hit the OKX decentralized exchange (DEX) yesterday, according to an initial investigation by blockchain security firm SlowMist. The exploit is suspected to have originated from a private key leak leveraged against a deprecated smart contract.

OKX has confirmed the exploit and has promised to reimburse affected users. At the time of writing, the total damage of this exploit stands at an estimated $2.7 million, a number that may still go up pending discovery from further investigations.

“We regret to inform you that a deprecated smart contract on OKX DEX has been compromised. We have taken immediate action to secure all user funds and revoke the contract permissions,” OKX said.

The platform also stated they are now working with ‘relevant agencies’ to help locate and retrieve the stolen funds.

Initial analysis of the exploit by SlowMist details that token exchanges made through OKX’s DEX platform are processed using the TokenApprove contract, which can then transfer tokens through the contract’s call functionalities.

One critical element of this process is the DEX Proxy, a delegated authorization mechanism responsible for managing token transfers between users’ wallets and the TokenApprove contract.

The DEX Proxy acts as an intermediary layer, allowing users to trade tokens on the OKX platform without having to constantly approve individual token transactions. This process is overseen by a proxy administrator who may upgrade the contract and invoke claimToken functions (based on the TokenApprove layer) for transfers.

Further investigation by SlowMist revealed that an update to the DEX Proxy contract was implemented on December 12 at 22:23 UTC, effectively modifying the contract’s functionality.

Unfortunately, due to the alleged private key leak in the old version of the smart contract, the yet unidentified threat actor was able to bypass this.

Post the attack, blockchain analytics firm Arkham has released an Intel Exchange Bounty for anyone who can help identify the person or organization behind the exploit. Arkham claims that the same hacker or group was responsible for recent exploits on LunaFi, Uno Re, RVLT, and more, although details on the suspect’s degree of involvement in these are scarce at the moment. The bounty by Arkham is open for 5,000 ARKM (about $2,250).

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.