OKX DEX, a popular DeFi platform, announced a security breach — the culprit was a malicious upgrade of the DEX Proxy contract. Let’s dive into this exploit and understand what happened.
OKX DEX Hack Timeline:
Pre-Attack (December 12th, 2023)
- 10:23 P.M. UTC — Proxy Admin Owner upgrades DEX Proxy to a new version that can directly steal tokens.
Attack (December 12th, 2023)
- Attackers exploit the vulnerability to steal funds.
- 11:53 P.M. UTC — Another upgrade with similar functionality is deployed.
- Total stolen: Approximately $430,000.
Post-Attack (December 13th, 2023 onwards)
- OKX team removes the compromised Proxy from the trusted list, stopping further theft.
- 4:30 A.M. UTC — OKX Web3 Wallet team announces compensation for affected users.
The Vulnerability
The DEX market maker contract relied on a trusted “DEX Proxy” contract, a trusted intermediary facilitating user token transfers. This Proxy, however, was controlled by a central entity known as the Proxy Admin Owner contract.
Abstract
Investigation indicates that during user exchanges, authorization is granted to the TokenApprove contract, and subsequently, the DEX contract executes the transfer of user tokens by calling the TokenApprove contract. The DEX contract incorporates a claimTokens function that empowers a trusted DEX Proxy to make calls. This function invokes the claimTokens function of the TokenApprove contract to transfer tokens authorized by the user. Oversight of the trusted DEX Proxy lies with the Proxy Admin, and the Proxy Admin Owner holds the authority to upgrade the DEX Proxy contract via the Proxy Admin.
The Exploit
The Proxy Admin Owner initiated the transition to a new implementation contract through the Proxy Admin contract on December 12, 2023, upgrading the DEX Proxy contract. The new contract’s functionality allows the direct invocation of the claimTokens function in the DEX contract for token transfers. Subsequently, attackers exploited this setup, calling the DEX Proxy to steal tokens. Another upgrade to the contract occurred on December 12, 2023, introducing similar functionality, and token theft persisted. Currently, the attacker has gained profits amounting to approximately $430,000.
The attacker’s wallet was funded through Tornado Cash, and the stolen funds were routed through Railgun, a smart contract system that enables Zero-Knowledge Privacy for any on-chain dApp on Ethereum.
A look at the attacker’s wallet balance using the DeBank portfolio tracker.
The Aftermath
The OKX Web3 Wallet team announced compensation for the affected users. The compromised Proxy was promptly removed from the trusted list, effectively severing the attackers’ access. However, the incident serves as a stark reminder of the potential dangers lurking within centralized control points in DeFi.
Lessons Learned and Building Defense
This attack highlights the importance of:
Diversifying control
- Decentralizing control mechanisms and utilizing multi-signature authorization schemes can significantly reduce the risk of single points of failure.
Transparency and vigilance
- Regular security audits and community engagement can help identify vulnerabilities before exploitation.
Using modular security solutions
- On-chain activity tracking bots can detect mission-critical actions or state changes (malicious transactions) in smart contracts, such as external function calls and re-entrancy calls, and alert teams through custom notifications to take necessary action on time.
While the OKX hack may have been contained, it serves as a wake-up call for the DeFi ecosystem.
About Olympix
Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.
Join our beta program now to fortify your smart contracts and proactively shield them from cyber threats in the evolving landscape of Web3 security.
Connect with us on:
Twitter | LinkedIn | Discord | Medium | Instagram | Telegram | Substack
