SharkTeam Analysis of the OKX DEX attack event and on-chain asset tracing

In-Depth Exploration SharkTeam's Analysis and On-Chain Asset Tracing of the OKX DEX Attack Event

Source: SharkTeam

On December 12, 2023, the OKX DEX Proxy administrator’s private key was suspected to have been leaked, and the attacker has made approximately $2.7 million in profit.

SharkTeam conducted a technical analysis of the incident in a timely manner and summarized security measures, hoping that future projects can learn from it and build a security defense line for the blockchain industry.

1. Attack Event Analysis

OKX: Dex Aggregator contract: 0x70cbb871e8f30fc8ce23609e9e0ea87b6b222f58

• Interpreting the Digital Asset Anti-Money Laundering Act initiated by five US senators, including Elizabeth Warren.
• Analysis of Mantle LSP Dual-channel yield aggregator supported by RWA and ETH PoS
• Binance survey Nearly half of users rely on cryptocurrencies to earn extra income

UpgradeableProxy contract: 0x55b35bf627944396f9950dd6bddadb5218110c76

Proxy Admin Owner: 0xc82Ea2afE1Fd1D61C4A12f5CeB3D7000f564F5C6

Proxy Admin contract: 0x3c18F8554362c3F07Dc5476C3bBeB9Fdd6F6a500

Attacker’s address: 0xFacf375Af906f55453537ca31fFA99053A010239

Funds flow address 1: 0x1f14e38666cdd8e8975f9acc09e24e9a28fbc42d

Funds flow address 2: 0x0519eFACB73A1f10b8198871E58D68864e78B8A5

Malicious ProxyMain contract 1: 0x5c4794d9f34fb74903cfafb3cff6e4054b90c167

Malicious ProxyMain contract 2: 0xF36C407F3C467e9364Ac1b2486aA199751BA177D

Malicious Proxy contract creator: 0x5A58D1a81c73Dc5f1d56bA41e413Ee5288c65d7F

One of the exploited transactions: 0x570cf199a84ab93b33e968849c346eb2b761db24b737d44536d1bcb010bca69d

Attack process:

1. On December 12, 2023, 22:20:35, EOA (0x5A58D1a8) created the ProxyMain contract (0x5c4794d9);

2. On December 12, 2023, 22:23:47, Proxy Admin Owner (0xc82Ea2af) upgraded the DEXProxy contract to a new execution contract (0x5c4794d9) through Proxy Admin (0x3c18F855);

3. On December 12, 2023, 23:52:47, EOA (0x5A58D1a8) created the ProxyMain contract (0xF36C407F);

4. On December 12, 2023, 23:53:59, Proxy Admin Owner (0xc82Ea2af) upgraded the DEXProxy contract to a new execution contract (0xF36C407F) through Proxy Admin (0x3c18F855);

5. The purpose of these two contract upgrades is the same, which is to call the TokenApprove contract’s claimTokens function to complete the transfer.

Section 2: Attack Principle Analysis

1. When executing the contract ProxyMain, the caller of this contract must be the attacker’s address (0xFacf375A), and then the claimTokens function of the Dex Aggregator contract is executed;

2. In the claimTokens function of the Dex Aggregator contract, since this contract has not been open-sourced on Etherscan, we obtained its source code through decompilation. From the code snippet, it can be seen that the claimTokens function verifies the trustworthiness of the proxy. Once the verification is passed, it will call the OKX DEX: TokenApprove function;

3. In the OKX DEX: TokenApprove function, the caller is checked for being a trusted Proxy. Similar to the previous trusted Proxy verification, as long as it is a trusted Proxy and the user has authorized TokenApprove, the attacker can steal the authorized user’s funds.

Section 3: On-chain Asset Tracking

The attack and asset transfer mainly focus on the following 3 addresses:

Attacker address: 0xFacf375Af906f55453537ca31fFA99053A010239 (OKX Exploiter);

Receiving address: 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d (OKX Exploiter2);

Receiving address: 0x0519eFACB73A1f10b8198871E58D68864e78B8A5 (OKX Exploiter3).

In this attack, the attacker address is responsible for continuously calling the claimTokens function of the TokenApprove contract to initiate transfers, which are received by the two receiving addresses.

1. Attacker address: 0xFacf375Af906f55453537ca31fFA99053A010239 (OKX Exploiter) – Historical transactions before the attack:

Inflow:

Outflow:

Transfers made to 0x4187b2daf33764803714D22F3Ce44e8c9170A0f3 for 20419 USDT and 1173 USDT, then transferred through the intermediary addresses 0x4A0cF014849702C0c3c46C2df90F0CAd1E504328, Railgun:Relay, and several other intermediary addresses to 0x7A20527ba5a749b3b054a821950Bfcc2C01b959f, which has a high frequency of transfers of a thousand or more values, and then transferred in batches of 300,000 USDT to 0x6b8DEfc76faA33EC11006CEa5176B1cec2078DfE, and subsequently to multiple addresses with OKX labels, e.g.

0x3D55CCb2a943d88D39dd2E62DAf767C69fD0179F (OKX 23) 0x68841a1806fF291314946EebD0cdA8b348E73d6D (OKX 26)

0xBDa23B750dD04F792ad365B5F2a6F1d8593796f2 (OKX 21)

0x276cdBa3a39aBF9cEdBa0F1948312c0681E6D5Fd (OKX 22)

….

In addition, this address also has activities such as transferring a portion of USDT through Railgun:Relay and swapping coins through Uniswap.

2. Receiving Address 1: 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d (OKX Exploiter2):

Inflow:

Outflow:

Through 4 addresses:

0xBbEa72B68138B9a1c3fec2f563E323d025510A4c

0x141F12aB25Fcd1c470a2ede34ad4ec49718B5209

0xFD681A9aA555391Ef772C53144db8404AEC76030

0x17865c33e40814d691663bC292b2F77000f94c34

Scattering funds, and then transferring using the addresses labeled Railgun:Relay & Railgun: Treasury, and ultimately transferring 410204.0 USDT to BNB Smart Chain through the address labeled Stargate.

3. Receiving Address 2: 0x0519eFACB73A1f10b8198871E58D68864e78B8A5 (OKX Exploiter3)

Transferred 620,000 USDT through intermediate address 0x48E3712C473364814Ac8d87a2A70a9004a42E9a3 to

0xE8A66A5862Ba07381956449e58999DB541e4DE93

and 0x8094b97A1663b7b73d6c76811355a734BA6F4A1A,

then these two addresses were further transferred to two new addresses:

0xB31a2196050A3B861C65f23E180E56eD51cf75D7

and 0x0C1f0233091D6ed371dC84A0ad1602209bCa429c,

and finally transferred 617964.77 to Avalanche C-Chain through the address labeled Stargate.

The hacker may have opened accounts and conducted transactions on multiple exchanges such as OKX, Gate.io, and MEXC. It is possible to perform targeted KYC evidence, and the deployment address of the project contract Kumo x World also has direct transfer transactions with the hacker’s address.

Four, Security Recommendations

The root cause of this attack incident is the leakage of Proxy Admin Owner’s private key (0xc82Ea2af), which led to the upgrade of the malicious Proxy deployed by the attacker. Due to the upgrade of the new malicious execution contract, the contract is trusted as a Proxy. TokenApprove detects that the malicious execution contract is trusted, allowing the attacker to steal funds that users have authorized to TokenApprove. Therefore, please keep the private key of important account addresses safe.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!