Understanding the OKX Exploit

4 min read

Learn how OKX was exploited, resulting in a loss of assets worth roughly $2.7 million.


On December 13, 2023, an old and abandoned market maker smart contract of OKX was exploited, resulting in a loss of assets worth over $2.7 million. 

Introduction to OKX#

OKX is a global digital asset exchange that offers a range of trading services for cryptocurrencies and other financial products.

Vulnerability Assessment#

The root cause of the exploit is likely due to the compromise of the private keys of the proxy admin.

Attack Explained#

When users opt to exchange assets, they authorize the TokenApprove contract, and then the DEX contract transfers the tokens approved by users by calling this TokenApprove contract.

The DEX contract has a claimTokens function that allows a trusted DEX Proxy to make calls. This function in turn invokes a call to the claimTokens function of the TokenApprove contract to transfer tokens authorized by the user.

function claimTokens(address _token, address _who, address _dest, uint256 _amount) external {
  require(msg.sender == tokenApproveProxy, "TokenApprove: Access restricted");
  if (_amount > 0) {
    IERC20(_token).safeTransferFrom(_who, _dest, _amount);

The Proxy Admin is in charge of managing the trusted DEX Proxy, and the Proxy Admin Owner can upgrade the DEX Proxy contract through the Proxy Admin.

As viewed in this transaction, the Proxy Admin Owner upgraded the DEX Proxy contract to a new implementation contract through the Proxy Admin.

This new implementation contract directly calls the claimTokens function of the DEX contract to transfer tokens, which was controlled by attackers to steal tokens.

These are the addresses of the attackers who were involved in the heist.

0xFacf375Af906f55453537ca31fFA99053A010239 labeled as OKX Exploiter
0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d labeled as OKX Exploiter 2 0x0519eFACB73A1f10b8198871E58D68864e78B8A5 labeled as OKX Exploiter 3

The Proxy Admin Owner upgraded the contract yet again with similar functionality and continued to steal tokens after the upgrade.

A portion of the stolen funds were transferred to this address and then subsequently deposited to Railgun, and some of the stolen funds were then distributed to different externally owned addresses.



The team acknowledged the occurrence of the exploit and stated that the incident targeted a deprecated smart contract on OKX DEX. They took immediate action to secure all funds and revoke the contract permissions. According to them, they are working with relevant agencies to locate the stolen funds and will be reimbursing all of the affected users.


In light of the recent OKX exploit, there are several strategies that could potentially prevent similar incidents in the future. The compromise of private keys played a pivotal role in this exploit, highlighting the need for enhanced security measures.

Firstly, safeguarding private keys is crucial. Organizations should adopt multi-signature protocols for key management, where multiple parties must agree to any significant contract changes or transactions. This approach mitigates the risk associated with a single point of failure. Additionally, using hardware security modules (HSMs) to store private keys provides an extra layer of security, as these devices are specifically designed to safeguard digital keys and perform cryptographic operations.

Phishing attacks often target private keys. Educating team members about the risks and signs of phishing can significantly reduce the likelihood of such compromises. Regular training sessions, coupled with simulated phishing exercises, can help in recognizing and avoiding phishing attempts. Establishing a protocol for secure communication channels and verifying the sources of any messages or emails requesting sensitive information are also effective strategies.

When it comes to smart contracts, particularly those involving token approvals, the practice of granting unlimited token access should be reconsidered. Instead, contracts should be designed to request only the necessary amount of tokens for each transaction. Users should also be encouraged to regularly review and revoke unnecessary token approvals. This can be facilitated by providing them with easy-to-use tools and interfaces for managing their approvals.

From a broader perspective, the implementation of rigorous auditing and continuous monitoring of smart contracts is essential. Engaging with reputable third-party auditors who can scrutinize contracts for vulnerabilities is a proactive step. Moreover, incorporating automated security tools and real-time monitoring systems can help in quickly identifying and responding to any suspicious activities.

In addition to these technical measures, fostering a culture of security within the organization is paramount. Regular discussions about security, updates on the latest threats, and encouraging a mindset where security is everyone's responsibility can significantly strengthen an organization's defense against such exploits.

Lastly, it is important to have a well-defined incident response plan. This plan should include immediate steps to be taken in the event of a security breach, communication strategies both internally and with affected parties, and measures for damage control and recovery. Having such a plan in place ensures that the organization can respond swiftly and effectively, minimizing the impact of any security incident.

Reference Source SlowMist