On December 13, 2023, the OKX DEX aggregator lost approximately $2.7 million of users' funds after a deprecated proxy-admin private key was compromised. The attacker used it to upgrade the OKX DEX proxy to a malicious implementation that drained tokens from wallets that had granted the aggregator approvals.
What happened
OKX's DEX contracts used an upgradeable proxy. An old proxy-admin key that should have been retired retained upgrade authority. The attacker obtained it, pushed a malicious implementation, and the upgraded contract allowed arbitrary transferFrom against the (very large) set of wallets with standing OKX DEX approvals. ~$2.7M was swept before OKX revoked the proxy admin and paused.
Aftermath
- OKX rotated the proxy admin, paused the contract, and committed to fully compensating affected users.
- Most affected users were reimbursed from OKX corporate funds.
Why it matters
OKX DEX combines two recurring catalogue lessons: (1) deprecated keys are live keys until explicitly revoked (cf. Wintermute's un-revoked Profanity role, Gala Games's dormant minter), and (2) upgradeable approval-holding contracts extend user trust to all future implementations. A major exchange's DEX aggregator holds an enormous pool of standing approvals; a single forgotten upgrade key turns that pool into the blast radius. The reimbursement-from-treasury response is, by 2023, the survival-baseline behaviour the catalogue documents repeatedly.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-okx-dex-hack-december-2023
- [02]cryptobriefing.comhttps://cryptobriefing.com/okx-dex-hacked-2-7-million-after-private-key-leak/
- [03]rekt.newshttps://rekt.news/okx-dex-rekt