An OKX decentralized exchange aggregator (DEX) appears to have suffered a $2.7 million exploit, according to security analysts.
The attack may be the result of the leak of the DEX administrator’s private key by security firm SlowMist Posted on X. Shortly afterwards, OKX confirmed that an outdated smart contract on OKX’s DEX had been compromised, promising to refund affected users.
“We regret to inform you that an outdated smart contract on OKX DEX has been compromised. We took immediate action to secure all user funds and revoke contract permissions. We are working with relevant agencies to locate the stolen funds and will reimburse affected users,” the platform said declared on X.
Security analysts at PeckShield later confirmed the exploit, stating that it resulted in the stealing of approximately $2.7 million in crypto assets.
Blockchain data analytics provider Arkham too confirmed OKX DEX was exploited by a hacker who likely upgraded an outdated contract with token approvals, resulting in losses of over $2.7 million. It also suggested that the attacker was linked to other exploits including LunaFi, Uno Re and RVLT. Arkham also offered a bounty of 5,000 ARKM ($2,250) for information that could help identify the hacker or provide refunds.
What happened?
SlowMist said users authorize token exchanges on the DEX through the TokenApprove contract. The DEX contract can then transfer these tokens by calling the TokenApprove functionality. An important part of this process is the DEX Proxy, managed by the Proxy Admin. The proxy manager owner has the authority to upgrade the DEX proxy contract, which allows them to call the claimTokens function of the TokenApprove contract for token transfers.
“This attack could be the result of the Proxy Admin Owner’s private key being leaked,” SlowMist added, as the current owner deployed a significant upgrade to the DEX Proxy contract on December 12 at 10:23 UTC. This upgrade changed the contract’s functionality, allowing it to directly call the DEX contract’s claimTokens function for token transfers, creating a vulnerability that attackers exploited to steal tokens.
OKX DEX did not respond to a request for comment from The Block.
