DEXX Hacking Myth Emphasized Security

CoinW Exchange
6 min readNov 29, 2024

--

Whenever the bull market is in full swing, there will be safety breaches.

Recently, the on-chain trading platform DEXX was erupted by a security accident, resulting in the theft of tens of millions of dollars of crypto assets, and the rights group rapidly increased to 3,000 people, which can be called the most sensational crypto security case this year.

According to public information, DEXX is an omni-chain trading platform focusing on memecoin, supporting a variety of on-chain asset trading, during the unusually hot MEME boom, DEXX quickly jumped up and became popular, and promoted through cooperation with well-known KOLs of all sizes, and provided high rebate to attract users.

At present, the funds involved in the case have exceeded 2 million SOL, more than 20 million USDC, and other assets, and by its negative news, the price of multiple Meme tokens has also suffered heavy losses.

Opinions: Inside job or hacker attack?

After the incident, Roy, the founder of DEXX platform, said on social media that he would compensate users for their losses and isolated some users’ assets, but the community did not buy it, and many users doubted that DEXX was deliberately running away or stealing by itself.

With the further fermentation of the incident, more and more evidence shows that DEXX platform has major security problems, including plaintext storage of private keys, unencrypted transmission of private keys, etc., hackers can easily use these problems to download private keys from the server and transfer assets.

It is even possible to copy the users’ private key directly from the clipboard, and according to Cos, the founder of Slow Fog, it was certain that the user’s private key of DEXX is centrally hosted and has been leaked.

Although DEXX officials said that it is trying its best to solve, and communicate with many law enforcement agencies to file a case, hoping to communicate with hackers, but it is generally believed that if DEXX does exist Rug surveillance theft, the process of rights protection will only be complicated and difficult.

After the incident, there have been a number of rights protection groups, according to the lawyer analysis, if DEXX was indeed involved in burglary, it may constitute a crime of fraud, according to the provisions of Article 266 of the Criminal Law, the main offender may be sentenced to life imprisonment.

DEXX insisted that it was hacked, on the one hand to appease the user’s emotions, to guarantee full compensation, on the other hand and security agencies cooperation, asking hackers to refund.

Security advice: Protect yourself in the Dark Forest

In fact, DEXX is not a case, as the central link of on-chain transactions, multiple DEX platforms frequently encounter attacks, such as on December 12, 2023, OKX DEX administrator private key may be leaked, resulting in illegal profits of about 2.7 million US dollars for attackers. The attacker uses the proxy administrator’s private key to upgrade the malicious proxy contract and steal the funds authorized by the user through the TokenApprove function.

Many users mistakenly believe that assets stored on blockchain platforms are secure without fully understanding that smart contracts also carry the risk of design errors. Although some users know that smart contracts cannot be changed once deployed, they may not be aware that they can be upgraded through mechanisms such as proxy contracts, logical contracts and storage contracts, thus providing opportunities for malicious actors to exploit vulnerabilities.

The well-known DEX Curve contract, for example, is immutable once deployed to avoid the possibility of human malfeasance, but the contract itself is not completely secure. Curve Finance suffered a serious hacking incident in the early hours of July 31, 2023. Hackers discovered that some versions of the Ethereum smart contract programming language Vyper, such as 0.2.15, 0.2.16, and 0.3.0, had a reentrant lock failure, allowing attackers to repeatedly call the smart contract’s functions until they ran out of money.

Specifically, Vyper’s code vulnerability resulted in the failure of reentrant lock protection, which allowed an attacker to enter the contract function multiple times during execution, bypassing the mechanism that was supposed to prevent reentrant attacks. In addition, Vyper’s test case was problematic and failed to identify the wrong slot, ultimately leading to a successful reentrant attack. Although Solidity set the “CEI principle” to protect smart contracts from reentrant attacks, Curve did not follow this principle and instead adopted the Vyper compiler

Multiple stablecoin pools at Curve Finance, such as alETH/msETH/pETH, were attacked, with losses estimated at more than $70 million. Among them, the CRV/ETH pool was emptied within minutes, losing about $42 million, and other affected pools include multiple mainstream pools such as the msUSD/3Crv pool and the msETH/ETH pool.

Not only did it cause Curve’s own token to drop to a historic low of $0.08, but it also caused the TVL of a large number of on-chain protocols to plummet.

In addition, there are many common forms of vulnerability in blockchain’s secure smart contracts. Here are some of the main types of vulnerabilities and how they can be exploited:

  1. Reentrant vulnerabilities:
  • Description: In a complex contract invocation scenario, mutual calls between multiple contracts can cause code reentrant, that is, the call method is interrupted at some point, and then the executed contract code calls the interrupt method again, allowing the attacker to repeatedly execute malicious code.
  • How to use: hackers repeatedly call a function through the reentrant vulnerability, and constantly transfer assets, so as to steal funds in the contract. For example, in the emergencyWithdraw function, hackers have committed multiple thefts.

2. Integer overflow vulnerability:

  • Description: An overflow occurs when an integer exceeds its upper or lower limit, causing numeric anomalies.
  • How to exploit: An attacker can exploit this vulnerability to obtain currency for free during contract transfers. For example, in the BEC contract, the attacker used the integer overflow vulnerability to transfer out about 6.4 billion BEC tokens, resulting in a market value of nearly zero.

3. Variable obfuscation vulnerability:

  • Description: When writing a contract, a developer may introduce a vulnerability based on a variable confounding error.
  • How to use: Hackers can manipulate the contract logic through the variable confounding bug, so as to achieve illegal operations and funds transfer.

In addition, under the influence of Code is Law thinking, most people’s code is safe, but in fact it is highly dangerous, because the code is still written by people, and users often ignore the impact of human error, code problems and external manipulation on the blockchain system. For example, phishing attacks, social engineering, poor password protection of accounts, etc., can all lead to account security vulnerabilities.

Conclusion

Security is always the top priority of blockchain, and Web3, as the Internet of value, must have the ability to guarantee the safe storage and delivery of value.

CoinW has also taken a variety of measures to protect the security of its users, such as using a cold wallet to store most of its users’ assets, effectively reducing the risk of hacking attacks, and adopting multi-signature technology to protect the transfer of large funds, and maintain a safe and accident-free operating record in seven years of operation.

--

--

CoinW Exchange
CoinW Exchange

Written by CoinW Exchange

Established in 2017, our top-tier integrated trading platform offers futures trading and a range of other services to over 7 million users globally.

No responses yet