Archived tweet

Tweet by SlowMist:

SlowMist Security Alert: OKX DEX Proxy Admin Owner's Private Key Suspected to be Leaked According to information from SlowMist Zone, the OKX DEX contract appears to have encountered an issue. After SlowMist's analysis, it was found that when users exchange, they authorize the TokenApprove contract, and the DEX contract transfers the user's tokens by calling the TokenApprove contract. The DEX contract has a claimTokens function that allows a trusted DEX Proxy to make calls, with its functionality being to invoke the claimTokens function of the TokenApprove contract to transfer tokens authorized by the user. The trusted DEX Proxy is managed by the Proxy Admin, and the Proxy Admin Owner can upgrade the DEX Proxy contract through the Proxy Admin. On December 12, 2023, at 22:23:47, the Proxy Admin Owner upgraded the DEX Proxy contract to a new implementation contract through the Proxy Admin. The new implementation contract's functionality is to directly call the claimTokens function of the DEX contract to transfer tokens. Subsequently, attackers began calling the DEX Proxy to steal tokens. The Proxy Admin Owner upgraded the contract again at 23:53:59 on December 12, 2023, with similar functionality, and continued stealing tokens after the upgrade. As of now, the attacker has profited approximately 430,000 U. This attack may be a result of the Proxy Admin Owner's private key being leaked. Currently, the DEX Proxy has been removed from the trusted list. Relevant Information: DEX contract: 0x70cbb871e8f30fc8ce23609e9e0ea87b6b222f58 OKX DEX TokenApprove contract: 0x40aa958dd87fc8305b97f2ba922cddca374bcd7f DEX Proxy: 0x55b35bf627944396f9950dd6bddadb5218110c76 Proxy Admin: 0x3c18F8554362c3F07Dc5476C3bBeB9Fdd6F6a500 Proxy Admin Owner: 0xc82Ea2afE1Fd1D61C4A12f5CeB3D7000f564F5C6 Upgrade Transactions: https://etherscan.io/tx/0xc6a5a7bc31bbc9a7530189e718f7ed96789fa65c56c3a4a08079a95074e280c8… https://etherscan.io/tx/0x22ebd267d7344780e6d63cf3a76bab57b8f8fa41cf58df1a2e1707d75d8bee89… Suspected Attacker: 0xFacf375Af906f55453537ca31fFA99053A010239 Profit Address: 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d Tweeted at 11:22 PM · Dec 12, 2023

Tweet #1

Links: