OKX DEX Proxy Admin Owner's Private Key Exposed

PeckShield claims that over $2.7 million has been stolen, while the OKX team estimates the financial damage to be below $400,000.

Hacker at work
According to PeckShield, the reported losses have exceeded $2.7 million, whereas the OKX team contends that the financial impact is approximately $370,000.

Today, multiple cybersecurity teams reported a private key leakage affecting the OKX DEX, a decentralized exchange aggregator.

One of the first Web3 security analysts to identify the suspicious activities was SlowMist, which promptly issued an alert regarding the suspected breach.

"According to information from SlowMist Zone, the OKX DEX contract appears to have encountered an issue," SlowMist posted on X, providing additional details on the matter.

As per SlowMist, the root cause of the problem might be the DEX Proxy upgrade by the Proxy Admin Owner yesterday. This upgrade introduced a new implementation contract, allowing for the direct invocation of the claimTokens function of the DEX contract, thereby facilitating the transfer of tokens.

Read also: SlowMist’s Top DeFi Research: "The Basic Security Risks Are Severe"

SlowMist explains that on the OKX DEX, "when users exchange, they authorize the TokenApprove contract, and the DEX contract transfers the user's tokens by calling the TokenApprove contract." In contrast, "The DEX contract has a claimTokens function that allows a trusted DEX Proxy to make calls, with its functionality being able to invoke the claimTokens function of the TokenApprove contract to transfer tokens authorized by the user."

PeckShield's Diagram of the OKX DEX exploit
Source: PeckShield, X

The trusted DEX Proxy was managed by the Proxy Admin, but the mentioned upgrade created a vulnerability, enabling a direct invocation of the claimTokens function. This meant that the DEX Proxy, instead of being an intermediary, now directly executed the function responsible for transferring tokens.

According to SlowMist, this change, whether intentional or not, provided malicious actors with the ability to transfer tokens without the usual checks and balances that were in place before the upgrade.

"The Proxy Admin Owner upgraded the contract again at 23:53:59 on December 12, 2023, with similar functionality, and continued stealing tokens after the upgrade," SlowMist adds.

Read also: Web3 Exploit Losses Decrease Following November's Surge in Attacks

As a result, one of the most recent updates on the event from another cybersecurity team, PeckShield, mentions the theft of nearly $2.76 million.

Meanwhile, OKX has commented on the security breach, claiming that the incident resulted from "the theft of the management rights on an abandoned OKX DEX market maker contract that is no longer in use." As per OKX, the exploit led to the transfer of assets from eighteen addresses authorized for the contract, with the total loss amounting to approximately $370,000.

The team behind OKX has promised to initiate loss recovery procedures, "conduct a security self-examination in the future, and reorganize all related abandoned contracts to avoid such incidents from happening again." The affected contracts have already been deactivated.