defirisk.co
rubric v1.7.0

OKX DEX (OKX Decentralized Exchange Aggregator): Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals

OKX's DEX aggregator lost $2.7M when a compromised proxy admin key was used to swap in a malicious implementation that drained any wallet that had previously approved the contract.

Occurred 2023-12-13 Loss $3M Status closed

Summary #

OKX DEX (OKX Decentralized Exchange Aggregator) suffered a DEX Aggregator on 2023-12-13, resulting in a loss of approximately $3M.

What happened #

OKX's DEX aggregator lost $2.7M when a compromised proxy admin key was used to swap in a malicious implementation that drained any wallet that had previously approved the contract.

Linked factors #

  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed by attacker] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed by attacker]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-027 — causal : ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — proxy implementation upgrade by compromised Proxy Admin Owner was the trigger event] || ★ Single admin EOA — adjacent [via cross-hack: Factor 36: Deprecated Contract With Live Admin Key]
  • RD-F-031 — causal : Signer rotation recency [via cross-hack: Factor 56: Dormant Admin Key > 30 Days]
  • RD-F-032 — related : Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — proxy implementation upgrade by compromised Proxy Admin Owner was the trigger event]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed by attacker]
  • RD-F-166 — causal : Officially-deprecated surface still holds material value [via cross-hack: Factor 33: Decommissioned Infrastructure Retaining Live Credentials] || Officially-deprecated surface still holds material value [via cross-hack: Factor 36: Deprecated Contract With Live Admin Key]
  • RD-F-168 — related : Stale user approvals on deprecated router [via cross-hack: Factor 33: Decommissioned Infrastructure Retaining Live Credentials]