OKX promises user reimbursement following DEX hack due to deprecated smart contract
Outdated smart contract leads to $370,000 loss in OKX DEX aggregator security breach, leading to revoking of smart contract.
The OKX DEX Aggregator faced a significant security breach involving an outdated smart contract on Dec. 12. This incident resulted in measures by OKX to secure user assets and revoke permissions for the compromised contract. The breach, resulting in the loss of around $370,000, has prompted the company to announce it will reimburse affected users as they coordinate with authorities to track down the stolen funds. A comprehensive review is now in progress to avoid such vulnerabilities in the future.
An official statement from the OKX web3 team stated,
“We regret to inform you that a deprecated smart contract on OKX Dex has been compromised. We have taken immediate action to secure all user funds and revoke the contract permissions.
We are working with relevant agencies to locate the stolen funds and will reimburse affected users with $370k. A thorough review is underway to prevent similar incidents. Our apologies for any inconvenience caused.”
Blockchain security firm SlowMist identified a potential leak of the private key of the Proxy Admin Owner associated with the OKX DEX. A sequence of suspicious activities was observed, beginning with upgrading the DEX Proxy contract to a new implementation. This new contract had the capability to directly call the claimTokens function of the DEX contract, which led to unauthorized token transfers.
The DEX Proxy was upgraded again later that evening, continuing the illicit token transfers. Approximately 430,000 tokens were stolen during this period, suggesting that the breach was due to the leakage of the Proxy Admin Owner’s private key. The DEX Proxy has been removed from the trusted list as a remedial step.
Tokens stolen include notable projects such as USDC, USDT, Pepe, WETH, Rollbit, SLP, and SHIBA INU across a total of 31 transactions into the wallet now labeled as “OKX Exploiter 2” on Etherscan.
Security firm Cyvers indicated that the total estimated loss could be as high as $1.1 million, with part of the stolen funds being deposited to Railgun and distributed to various externally owned accounts (EOAs). The attacker was reportedly funded by Tornado Cash.