• OKX DEX appears to have suffered a $2.7 million exploit following a private key leak, according to security analysts.
• The team confirmed a deprecated smart contract on OKX DEX had been compromised, promising to reimburse affected users.

A decentralized exchange (DEX) aggregator from OKX appears to have suffered a $2.7 million exploit, according to security analysts.

The attack may have resulted from the DEX’s admin private key leak, security firm SlowMist posted on X. Shortly after, OKX confirmed a deprecated smart contract on OKX’s DEX had been compromised, promising to reimburse affected users.

🚨SlowMist Security Alert: OKX DEX Proxy Admin Owner’s Private Key Suspected to be Leaked🚨

According to information from SlowMist Zone, the OKX DEX contract appears to have encountered an issue. After SlowMist’s analysis, it was found that when users exchange, they authorize…

— SlowMist (@SlowMist_Team) December 13, 2023

“We regret to inform you that a deprecated smart contract on OKX DEX has been compromised. We have taken immediate action to secure all user funds and revoke the contract permissions. We are working with relevant agencies to locate the stolen funds and will reimburse affected users,” the platform stated on X.

We regret to inform you that a deprecated smart contract on OKX Dex has been compromised. We have taken immediate action to secure all user funds and revoke the contract permissions. We are working with relevant agencies to locate the stolen funds and will reimburse affected… pic.twitter.com/zDIjhb3ETz

— OKX Web3 (Wallet | DeFi | NFT) (@okxweb3) December 13, 2023

Security analysts at PeckShield later confirmed the exploit, stating that it resulted in approximately $2.7 million worth of crypto assets stolen.

#PeckShieldAlert #OKX #DEX suffered a Private Key Leakage attack, resulting in ~$2.76M worth of cryptos being stolen.
Please *Revoke* your allowance if any, to https://t.co/uwzzJzNUHH pic.twitter.com/yOqAVR2HMR

— PeckShieldAlert (@PeckShieldAlert) December 13, 2023

Blockchain data analytics provider Arkham also confirmed OKX DEX was exploited by a hacker who likely upgraded a deprecated contract with token approvals, resulting in losses of over $2.7 million. 

New Intel Exchange Bounty: OKX DEX Exploit

We’ve created and funded a bounty to help identify the person or organization behind the recent OKX DEX exploit.

OKX DEX was exploited by a hacker who upgraded a deprecated contract with token approvals, resulting in losses of over… https://t.co/kakhpb05NV pic.twitter.com/k5ztEm51bW

— Arkham (@ArkhamIntel) December 13, 2023

It also suggested that the attacker was tied to other exploits, including LunaFi, Uno Re and RVLT. Arkham also offered a bounty of 5,000 ARKM ($2,250) for information to help identify the hacker or lead to the return of funds.

See Also: Microsoft Warns That Cybercriminals Can Exploit OAuth Applications

SlowMist said users authorize token exchanges on the DEX via the TokenApprove contract. The DEX contract can then transfer these tokens by invoking TokenApprove’s functionality. 

A key component in this process is the DEX Proxy, managed by the Proxy Admin. The Proxy Admin Owner has the authority to upgrade the DEX Proxy contract, enabling it to call the claimTokens function of the TokenApprove contract for token transfers.

“This attack may be a result of the Proxy Admin Owner’s private key being leaked,” SlowMist added, with the current owner implementing a significant upgrade to the DEX Proxy contract on Dec. 12 at 22:23 UTC. 

This upgrade altered the contract’s functionality, allowing it to directly call the claimTokens function of the DEX contract for token transfers — opening up a vulnerability that attackers exploited to steal tokens.