OKX promises user reimbursement following DEX hack due to deprecated smart contract OKX promises user reimbursement following DEX hack due to deprecated smart contract
Outdated smart contract leads to $370,000 loss in OKX DEX aggregator security breach, leading to revoking of smart contract.
2 min read
Updated: Dec. 13, 2023 at 12:13 pm UTC
Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.
The OKX DEX Aggregator faced a significant security breach involving an outdated smart contract on Dec. 12. This incident resulted in measures by OKX to secure user assets and revoke permissions for the compromised contract. The breach, resulting in the loss of around $370,000, has prompted the company to announce it will reimburse affected users as they coordinate with authorities to track down the stolen funds. A comprehensive review is now in progress to avoid such vulnerabilities in the future.
An official statement from the OKX web3 team stated,
“We regret to inform you that a deprecated smart contract on OKX Dex has been compromised. We have taken immediate action to secure all user funds and revoke the contract permissions.
We are working with relevant agencies to locate the stolen funds and will reimburse affected users with $370k. A thorough review is underway to prevent similar incidents. Our apologies for any inconvenience caused.”
Blockchain security firm SlowMist identified a potential leak of the private key of the Proxy Admin Owner associated with the OKX DEX. A sequence of suspicious activities was observed, beginning with upgrading the DEX Proxy contract to a new implementation. This new contract had the capability to directly call the claimTokens function of the DEX contract, which led to unauthorized token transfers.
The DEX Proxy was upgraded again later that evening, continuing the illicit token transfers. Approximately 430,000 tokens were stolen during this period, suggesting that the breach was due to the leakage of the Proxy Admin Owner’s private key. The DEX Proxy has been removed from the trusted list as a remedial step.
Tokens stolen include notable projects such as USDC, USDT, Pepe, WETH, Rollbit, SLP, and SHIBA INU across a total of 31 transactions into the wallet now labeled as “OKX Exploiter 2” on Etherscan.
Security firm Cyvers indicated that the total estimated loss could be as high as $1.1 million, with part of the stolen funds being deposited to Railgun and distributed to various externally owned accounts (EOAs). The attacker was reportedly funded by Tornado Cash.
Mentioned in this article
Author 
Liam 'Akiba' Wright
Also known as "Akiba," Liam is a reporter, editor and podcast producer at CryptoSlate. He believes that decentralized technology has the potential to make widespread positive change.
Editor Editor 
News Desk
CryptoSlate is a comprehensive and contextualized source for crypto news, insights, and data. Focusing on Bitcoin, macro, DeFi and AI.
In this article
Ethereum is a decentralized, open-source blockchain platform that enables the creation of smart contracts and decentralized applications (DApps).
Rollbit Coin
$0.10434
The Rollbit token (RLB) was launched as an integral part of the Rollbit lottery.
SHIBA INU
$0.00002
Shiba Inu (SHIB) is a decentralized meme token that aims to be the Ethereum-based counterpart to Dogecoin’s Srypt-based mining algorithm. According to SHIBA INU, the reasoning behind the creation of SHIBA is that Shibas constantly forget where they bury their treasure.
Tether
$0.99883
Launched in 2014, Tether is a blockchain-enabled platform designed to facilitate the use of fiat currencies in a digital manner.
USD Coin
$0.99999
USD Coin (USDC) is a stablecoin fully backed by the US dollar and developed by the CENTRE consortium.
Smooth Love Potion
$0.00372
Smooth Love Potion (SLP) tokens can be earned as rewards by Axie Infinity game players through battle or adventure mode.
OKX
OKX is a world-leading digital asset exchange, providing advanced financial services to global traders by using blockchain technology.