Whether it's insider theft or hacking, tracing the DEXX theft incident

Author: Rhythm BlockBeats

On November 16, user assets on the on-chain trading terminal DEXX were stolen, and several meme coins experienced significant sell-offs early this morning. Currently, security companies have not confirmed the exact amount stolen, but community rumors suggest that the losses have reached over 16 million dollars.

Roy, the founder of DEXX, stated this morning that he would compensate users for their losses. As of now, multiple users have reported that their account assets have been isolated to a secure address.

DEXX Security Vulnerability

After the DEXX theft incident, the community began to scrutinize this meme-exclusive trading platform, which had previously been flooded with its referral links, and KOLs who promoted DEXX were also blamed by users.

Yuxian, the founder of the security firm Slow Mist, stated, "The stolen group is related to using DEXX for pumping shitcoins/meme trading, and the private keys belong to DEXX's centralized custody, which must have leaked. The investigation will reveal how it was leaked."

The community discovered that according to the export_wallet request information in the developer tools, when exporting the DEXX private key, the private key is presented in plaintext, meaning that user private keys are actually on the official server. If the communication is not encrypted, attackers may intercept users' private keys during transmission. Even if HTTPS is used, directly transmitting the private key could still lead to privacy data leakage due to browser vulnerabilities or other security issues.

As a result, some users jokingly said, "DEXX has redefined non-custodial wallets."

Additionally, the wallet application OneKey stated that DEXX repeatedly requested permission to "upload user clipboard content," which may have uploaded users' clipboard contents, advising, "If you have copied your private key mnemonic on your phone, transfer your assets as soon as possible."

The audit of DEXX was completed by Certik, which reported a score of 59.31, a failing score indicating up to 9 risks. Among them, the major risk of "centralization" remains unresolved; four moderate risks have two resolved and two unresolved, including "vulnerable code"; and there are four minor risks, with only one resolved.

Some users indicated that DEXX and various trading bots are completely exposed in terms of security, with project parties universally adopting a mindset—"Anyway, users don't understand or care, and there are lucky peers who do the same but haven't been hacked yet; if I care, I would have to pay a lot in R&D costs and user experience, so I don't have to care."

In light of previous incidents involving BananaGun and Unibot, which also had theft risks, the principle of on-chain trading remains: "Not Your Keys, Not Your Money."

Latest News and Investigation Progress

11-16 14:12

According to GoPlus security monitoring, phishing scams related to "rights protection communities," "DEXX theft registration," and "DEXX compensation" targeting DEXX stolen users have been discovered. Users need to be cautious and avoid uploading private keys/mnemonic phrases or connecting wallets to confirm, to prevent secondary harm.

11-16 14:02

Yuxian, the founder of Slow Mist, posted an update on social media regarding the DEXX incident, stating that Slow Mist has received nearly 500 requests related to the DEXX theft. The event analysis is still ongoing, and preliminary assessments indicate losses in the tens of millions of dollars (due to significant price fluctuations of some meme coins). Almost every victim corresponds to a different attacker address, indicating that the attackers had long planned this incident, with gas sources exchanged through XMR three days ago.

11-16 13:27

Blockchain security audit company CertiK released a statement saying that they have recently received a large number of requests for help from DEXX platform users, who reported that their account assets were emptied. CertiK confirmed that this security incident occurred on the Solana chain, but that chain is not within CertiK's audit coverage.

CertiK stated that the main reason for the incident was improper management of private keys on the DEXX platform, leading to the leakage of official private keys.

11-16 12:30

Yuxian, the founder of Slow Mist, responded on social media to screenshots circulating online claiming "DEXX users have cumulatively lost 488 million dollars," stating that each victim in the DEXX case corresponds to a different hacker address, and stolen funds will not be concentrated in one address.

Meme Price Update

11-16 08:56

According to GMGN market data, possibly affected by the DEXX theft, BAN, LUCE, PNUT, and other memes have experienced varying degrees of decline, including:

· BAN has dropped about 30% since the incident, currently priced at 0.126 dollars

· LUCE has dropped about 20% since the incident, currently priced at 0.211 dollars

· PNUT has dropped as much as about 12.5% since the incident, currently priced at 1.72 dollars