Article reprinted from: Bitrace
Recently, the DEXX platform encountered a severe asset theft crisis. As a multi-chain comprehensive trading tool, DEXX supports fast trading, anti-MEV, strategic trading, and other functions, providing an extremely convenient trading experience for hundreds of thousands of users during the memecoin market explosion. However, on November 16, many users discovered that their account assets had been emptied.
The reason lies in its adoption of a centralized asset custodial form similar to exchanges, but without employing corresponding security-level asset management solutions. This architecture exposes almost all users' assets to risk.
This incident not only reveals the vulnerabilities in DEXX's asset management but also provides us with an opportunity to gain a deeper understanding of the risks associated with custodial wallets.
Difference between Custodial Accounts and Self-Custodial Accounts
Custodial accounts: In the traditional financial sector, centralized financial institutions have full control over user assets, and users must request the institution to redeem their funds. For example, the address allocated to users by centralized exchanges is only for deposits; users do not have operational permissions, and all transactions, transfers, and withdrawals must be approved by the platform.
This means that the platform's risk control level will greatly influence the security of user assets.
Self-custodial accounts: Self-custodial accounts utilize decentralized wallet solutions, where users fully grasp ownership of their assets. After generating mnemonics or private keys in a trusted environment, users can transfer assets within the address without anyone's permission.
Whether the user exclusively holds the private key or mnemonic of the address is a key feature distinguishing custodial from self-custodial.
Difference between DEXX theft and exchange theft
Account theft from exchanges typically falls into two scenarios: the user's platform custodial account control permissions are exposed, leading to illegal asset transfers, or the platform itself is hacked, resulting in assets being directly transferred out of the hot wallet, and even the private keys or mnemonics of cold wallets being stolen.
DEXX adopts a similar centralized account structure, allowing users to create addresses on the platform and share address operation permissions with users. However, unlike CEX, it does not aggregate users' custodial funds into several centralized addresses for security management — for example, cold and hot wallet isolation, multi-signature management, etc., which also creates conditions for single-point failures.
How should users mitigate custodial risks
Balancing security and convenience: Although traditional on-chain trading steps are cumbersome, bypassing these steps in pursuit of trading opportunities increases risks. Therefore, it is recommended that users appropriately use custodial services based on a full understanding of the risks, limiting exposure to a manageable range.
Do not trust blindly: Do not easily hand over your address permissions to others or tools. Manage your permissions well in daily use, avoid using suspicious applications or clicking on unknown links.
Learn Web3 anti-fraud knowledge: Understanding common fraud techniques can help investors avoid most potential risks. Bitrace has prepared a Web3 Anti-Fraud Handbook aimed at helping ordinary investors raise security awareness; you can access it at this link: https://bitrace.io/en/blog
Conclusion
The DEXX incident shows that while enjoying the conveniences brought by blockchain technology, one must always remain vigilant. By understanding the risks of custodial wallets and taking appropriate preventive measures, investors will be able to better protect their digital assets.