Written by: Luke, Mars Finance

Event Overview

On the morning of November 16, 2024, a major security incident occurred at the on-chain transaction terminal DEXX, and user assets were stolen, involving an amount of up to $400 million. As a result, multiple meme coins were under selling pressure and their prices fell sharply. The attacker used a one-to-one transfer to evade tracking, and the receiving address has not yet been collected.

This attack affected multiple chains, not only affecting the assets of DEXX platform users, but also had a wide-ranging impact on the entire meme community, once again highlighting the contradiction between functionality and security of decentralized platforms and revealing serious problems in user fund management.

DEXX is a full-chain trading platform focusing on Memecoin, supporting multi-chain asset trading such as SOL, ETH, TRX, BASE, BSC, and providing on-chain mobile stop-profit and stop-loss, hot spot push, copy trading and other functions. Compared with mature full-chain trading platforms such as Banana Gun and Unibot, DEXX's main differentiation is smoothness, and it even has the reputation of being on-chain Binance. However, this incident exposed that DEXX neglected the strict construction of security mechanisms in the pursuit of functional innovation. This practice of focusing on functions and neglecting security has laid hidden dangers for the theft of user funds this time.

Security Vulnerability Analysis

According to the investigation by SlowMist founder Yu Xian, the main cause of the DEXX incident was improper private key management. User private keys were stored in plain text on official servers, and there was a lack of adequate encryption protection during transmission. This means that attackers could intercept user private keys during transmission and gain access to assets. This private key management method obviously does not meet the industry's basic requirements for decentralized security, and has therefore been criticized as "essential to custody," greatly increasing the risk of user asset theft.

In addition, the DEXX platform app was found to repeatedly request user clipboard permissions. If the user has copied private keys or mnemonics in the clipboard, this information is likely to be inadvertently transmitted to the platform, increasing the risk of sensitive information leakage. For users, the leakage of these private data will undoubtedly lead to serious threats to asset security, and this neglect of user information protection is worrying.

What's more, some users reported that as early as a few months ago, the platform had privately transferred a small amount of tokens. Due to the small amount, many users did not pay attention and did not realize the potential problem until this large-scale theft. In addition, a few days before the incident, some users found that their accounts were restricted when withdrawing money, and certain specific currencies could not be withdrawn successfully. These phenomena may now be signs of premeditated crimes.

DEXX's security audit was completed by CertiK, but the score was only 59.31 points, with 9 risks, of which the main risk of "centralized management" was not resolved. This incident was caused by improper management of official private keys, which led to the leakage of private keys and ultimately the theft of user funds. Although CertiK's audit report warned of the risks, the project party did not completely solve these problems, which ultimately led to the occurrence of this accident. Improper storage of user private keys and the lack of private key protection measures became the core cause of this accident.

According to community user feedback, in this attack, the hacker used a one-to-one batch creation strategy to transfer the stolen assets, apparently to avoid tracking to the greatest extent possible. The hacker was not only very cautious in fund operations, but also carefully selected the time of attack - launching the attack at 4 or 5 in the morning when Chinese users were asleep. This shows that the hacker is very familiar with the platform user group and the biological clock of the target users, and they are most likely Chinese. However, DEXX officials only issued an English notice afterwards, which seemed to intentionally lead users to believe that the hackers were foreign forces. This vague statement further deepened users' doubts.

Official response

On the morning of the incident, DEXX founder Roy said on social media that he would compensate users for their losses and quarantine some users' assets. However, Roy did not disclose the specific accounts that were quarantined, and the community did not buy it. Many users questioned whether DEXX was stealing or even deliberately running away, and the abuse continued.

Public information shows that dexx.ai's services are provided by the following entities:

  • DEXX LTD, a Colorado-registered company operating under the DEXX brand, is available to residents of approved locations within the United States;

  • DEXX Bahamas Limited, a company registered in the Bahamas, for Mexican residents and institutional users registered after August 29, 2023;

  • DEXX SG Ltd., a company registered in Singapore, is available to registered Singapore resident users;

  • DEXX Ltd., a company registered in the Marshall Islands, for all other users eligible to access and use the DEXX Services;

  • DEXX Co., Ltd., a company registered in Tokyo, Japan, for registered Japanese residents;

  • DEXX Ltd, a company registered in the Hong Kong Special Administrative Region, is available to registered Hong Kong residents.

Faced with a loss of 400 million US dollars, the solvency of the DEXX team is questionable. The latest official news said that some progress has been made, and users are expected to leave a message with their wallet address and @SOL official to exert pressure and get more help.

Community swearing, KOL quickly cut off

As soon as the theft occurred, the community united to save themselves. A "Statistics of Dexx stolen customer losses" was circulated in various rights protection groups. At the same time, many on-chain analysts and security teams analyzed the hacker's modus operandi. The preliminary conclusion was that the amount involved was US$460 million, and that receiving addresses were created in batches. The use of one-to-one transfers increased the difficulty of tracking. Since then, social media and Telegram groups have been full of criticism, and the current mainstream view is that the incident was an inside job.

In addition, the prices of multiple Meme coins fell sharply due to large-scale selling, among which LUCE, PNUT and other coins fell by 41% and 34% respectively in the two days of the weekend. The stolen assets are like a sword of Damocles hanging over the market, especially for MEME, where these funds may be sold at any time, causing further price plunges.

DEXX's rapid rise is inseparable from the vigorous promotion of KOLs. In order to acquire users, DEXX offers a rebate of up to 50%-60% of the handling fee, attracting many KOLs to endorse it. Insiders revealed that the monthly rebate income of top KOLs is as high as 40,000 US dollars. Driven by interests, many KOLs even strongly recommend the use of DEXX in private communities: "Use it even if it is difficult to use, use it even if it is easy to use, and create conditions to use it even if there are no conditions." To some extent, this viral marketing actually foreshadows the subsequent tragedy.

However, once the incident broke out, these KOLs immediately distanced themselves from the incident and even deleted all their previous promotional content. According to statistics from a user, more than 30 KOLs, big and small, participated in the promotion of DEXX, but only less than 5 of them faced up to their mistakes and did not delete their tweets. The rest of the KOLs were either playing dead or playing pity and being depressed.

This incident once again proves that as long as there is the temptation of high returns, platforms and promoters are easily confused and ignore risks, and in the end it is the ordinary users who suffer. Now that supervision is not in place, KOLs and platforms should take more responsibility. They can't just think about promoting products to make money, but also ensure the safety of users' wallets and the stability of platform operations.

Safety Tips

The DEXX theft has sounded the alarm for on-chain operations and asset management. This is especially true in the Meme space, where users often ignore platform security for short-term high returns. To avoid "going back to the old days overnight", here are some safety tips:

  1. Be cautious with recommendations: research the product's security mechanisms in depth and give priority to tools that do not store private keys on servers. Be wary of promises of high returns and avoid falling into marketing traps.

  2. Choose an experienced platform: Use tools and BOTs that have been in operation for a long time, have a strong team, and have no record of safety incidents. Verify the platform's past performance and user feedback to reduce risks.

  3. Beware of phishing attacks: Never click on unfamiliar links or reply to private messages in Telegram groups. Many phishing attacks are carried out through social media, and being vigilant and questioning the source of information is key to protecting your assets.

  4. Self-custody of assets: After a large transaction, the assets are transferred to a self-custody wallet in a timely manner. This can effectively avoid the security risks brought by third-party platforms and is the best choice to ensure the safety of funds.

In addition, when choosing a trading platform, focus on its security audit results and private key management methods. All projects involving fund management require strict security protection to ensure that users' digital assets will not be lost due to platform management omissions.

Final Thoughts

The DEXX incident once again revealed the high risk of on-chain transactions and raised profound questions about decentralized custody. Users must be aware of the importance of "Not Your Keys, Not Your Money" and carefully choose trading platforms and asset management methods to better protect their digital assets. As the security agency's investigation deepens, we hope to find the root cause of the problem as soon as possible and provide corresponding compensation to the victims.

Although the crypto world is full of opportunities, it also has huge risks. Every trader needs to be more sober and not ignore potential dangers for short-term benefits. For platforms and KOLs, they should also take corresponding responsibilities while pursuing benefits. After all, user trust is the most valuable asset. Without security guarantees, the so-called prosperity is nothing but a bubble. I hope that in the future crypto world, platforms, KOLs, and users can work together to build a safer and more transparent environment and truly realize the ideal of decentralization.