OKX’s decentralized exchange aggregator suffered a $2.8 million exploit Tuesday night, according to several different security firms.
Blockchain security firm SlowMist suspects the attack and subsequent theft of funds occurred because the private key of the DEX’s proxy admin owner was leaked.
“We regret to inform you that a deprecated smart contract on OKX Dex has been compromised,” OKX posted on X. “We have taken immediate action to secure all user funds and revoke the contract permissions. We are working with relevant agencies to locate the stolen funds and will reimburse affected users with $370k.”
Security consultancy Peck Shield also indicated that the OKX DEX had its private key leaked.
#PeckShieldAlert #OKX #DEX suffered a Private Key Leakage attack, resulting in ~$2.76M worth of cryptos being stolen.
Please *Revoke* your allowance if any, to https://t.co/uwzzJzNUHH pic.twitter.com/yOqAVR2HMR— PeckShieldAlert (@PeckShieldAlert) December 13, 2023
With the private key, the attacker upgraded a smart contract to a “new implementation.” SlowMist security analysts wrote on X that “the new implementation contact’s functionality is to directly call the claimTokens function of the DEX contract to transfer tokens. Subsequently, attackers began calling the DEX Proxy to steal tokens.” The attackers repeated this tactic successfully in 33 transactions, per Etherscan.
Blockchain analytics firm Arkham Intelligence, known for its crypto intelligence marketplace, indicated the exploiter “is tied to a number of hacks, including LunaFi, Uno Re, RVLT and more.” As such, Arkham created and funded a reward bounty worth about $2,300 to uncover who was responsible for the recent OKX DEX exploit.
The recent attack makes OKX DEX and its users the latest victims in the crypto ecosystem, following several exploits, hacks and scams in November, “the most damaging month this year,” per security firm CertiK on X.
Read more: November Is 2023’s Worst Month for Crypto Hacks and Fraud as $343 Million Is Stolen
Crypto exchange Poloniex suffered a $125 million loss, while HTX (formerly known as Huobi) and blockchain protocol Heco Chain saw roughly $85 million stolen in crypto. KyberSwap experienced flash loan attacks that resulted in $48 million leaving the platform. Each of these incidents occurred in November.
OKX, one of the largest cryptocurrency exchanges, had a 24-hour spot trading volume of more than $2.5 billion, surpassing Coinbase, Kraken and KuCoin, data from CoinMarketCap shows.
OKX DEX did not immediately respond to Unchained’s request to comment.