Security • December 13, 2023, 8:01AM EST
Published 1 minute earlier on
UPDATED: December 13, 2023, 8:03AM EST

OKX DEX suffers apparent $2.7 million exploit following suspected private key leak

Read the non-AMP story on Theblock.co
The Block

Quick Take

  • A decentralized exchange aggregator from OKX appears to have suffered a $2.7 million exploit following a private key leak, according to security analysts.
  • The team confirmed a deprecated smart contract on OKX DEX had been compromised, promising to reimburse affected users.

A decentralized exchange (DEX) aggregator from OKX appears to have suffered a $2.7 million exploit, according to security analysts.

The attack may have resulted from the DEX's admin private key leak, security firm SlowMist posted on X. Shortly after, OKX confirmed a deprecated smart contract on OKX's DEX had been compromised, promising to reimburse affected users.

“We regret to inform you that a deprecated smart contract on OKX DEX has been compromised. We have taken immediate action to secure all user funds and revoke the contract permissions. We are working with relevant agencies to locate the stolen funds and will reimburse affected users,” the platform stated on X.

Security analysts at PeckShield later confirmed the exploit, stating that it resulted in approximately $2.7 million worth of crypto assets stolen.

Blockchain data analytics provider Arkham also confirmed OKX DEX was exploited by a hacker who likely upgraded a deprecated contract with token approvals, resulting in losses of over $2.7 million. It also suggested that the attacker was tied to other exploits, including LunaFi, Uno Re and RVLT. Arkham also offered a bounty of 5,000 ARKM ($2,250) for information to help identify the hacker or lead to the return of funds.

What happened?

SlowMist said users authorize token exchanges on the DEX via the TokenApprove contract. The DEX contract can then transfer these tokens by invoking TokenApprove's functionality. A key component in this process is the DEX Proxy, managed by the Proxy Admin. The Proxy Admin Owner has the authority to upgrade the DEX Proxy contract, enabling it to call the claimTokens function of the TokenApprove contract for token transfers.

“This attack may be a result of the Proxy Admin Owner's private key being leaked,” SlowMist added, with the current owner implementing a significant upgrade to the DEX Proxy contract on Dec. 12 at 22:23 UTC. This upgrade altered the contract's functionality, allowing it to directly call the claimTokens function of the DEX contract for token transfers — opening up a vulnerability that attackers exploited to steal tokens.

OKX DEX did not respond to a request for comment from The Block.


Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.