Written by: SafePal
'The dark forest' is a cosmic sociological principle derived from (The Three-Body Problem) and also serves as the most naked summary of the current Web3 security track: there is enough imaginative space and innovative gameplay on-chain, but it is also like a 'dark forest', full of bloody and cruel zero-sum games, where ordinary investors mostly play the role of 'prey' in an asymmetric information environment.
On November 16, multiple community users reported that the on-chain trading terminal DEXX was hacked. Subsequent analysis indicated that DEXX's private key management had obvious vulnerabilities, even transmitting and storing in plaintext. As of now, the total loss, based on incomplete statistics, exceeds $20 million.
In this context, how ordinary users can improve their on-chain self-protection mechanisms has become an important topic of great concern. SafePal co-founder and CEO Veronica also participated in the 137Labs-hosted 𝕏 Space event 'Security Reflections Triggered by the DEXX Incident: How to Avoid 'Pits' in Crypto Investment', discussing the DEXX security incident with BlockSec founder Andy, veteran trader Club哥, and 137Labs researcher OneOne, among others, and providing practical security advice for crypto investors.
This article is a summary of the wonderful shares from the guests at this Twitter Space, organized for readers.
The 'unbearable weight' of front-running bot tools
In crypto investment, high returns and absolute security are often difficult to balance. Tools like DEXX and Unibot have won user favor with one-click copy trading and fast fund transfers, but this convenience is built on a centralized architecture, requiring users to authorize funds or provide wallet access, significantly increasing asset risk.
However, users generally underestimate the security requirements of these trading tools, habitually trusting large exchanges while overlooking the risks of smaller tool platforms. The DEXX incident exposed fatal vulnerabilities in private key management of some trading tools — a true 'non-custodial wallet' should ensure that private keys are stored only on user devices and not rely on centralized servers. Even if private keys are encrypted, lack of memory-level security protection technology (such as TEE or enclave) still cannot prevent the possibility of theft.
At the same time, this attack method is complex; hackers disperse and transfer funds to increase tracking difficulty. This not only makes recovering funds more difficult but also indicates that similar future incidents may be even more complex and harder to prevent, leading to two possibilities: either the platform is breached due to technical vulnerabilities, or there is internal embezzlement or deep infiltration. If it's the latter, future risks may be more severe.
Dune data shows that the top five bots ranked by trading volume are: Trojan, BonkBot, Maestro, Banana Gun, and Sol Trading Bot. The 7-day trading volume of each exceeds $100 million, with cumulative user numbers exceeding 300,000. Because of this, the mindset of 'either make a fortune or lose everything' has led most users to overlook potential huge risks.
Image source: Dune
Veronica believes that almost all of these 'front-running' trading tools may face similar security risks. These bots can achieve ultra-fast on-chain trading and avoid manual signing each time because they sacrifice some security and non-custodial characteristics.
Typically, whether using a hardware wallet, APP wallet, or browser plugin wallet, users need to spend a few seconds on manual signature confirmation. However, to improve transaction speed and optimize user experience, these bots usually compromise and reduce the security of some private keys to achieve faster transactions.
This design is not entirely wrong, nor can it be simply stated that these projects are unsafe. However, it does impose extremely high requirements on the development team's security defense capabilities. To achieve a smooth experience, if the development team cannot ensure robust security offensive and defensive capabilities, the consequences of an attack will be extremely severe, and both users and project parties may face huge losses.
In addition, most current trading bots indeed face a significant security risk — to achieve automated trading, they usually generate and store private keys for each user. While this method makes it convenient for users to automate their trading, it also brings extremely high security risks. If an attacker breaches the platform, all stored user private keys may be leaked, resulting in asset loss.
Image source: DEXX's 'Wallet Management' page
However, there is actually a safer trading architecture that can achieve automated trading without using user private keys.
This architecture relies on smart contracts to create 'PDA accounts' associated with user accounts, completing transactions without the need for user private key signatures. The platform can execute transaction instructions through a restricted 'operating account', but the permissions of this operating account are strictly controlled, allowing only transaction operations and prohibiting arbitrary transfers of user assets.
This smart contract-driven design can significantly enhance security because users' private keys are always in their control and are not stored on centralized servers. Although this design is more complex and demands higher engineering and security technology capabilities from the team, it is fully feasible and more secure.
Currently, most users are unclear about the differences between these two design patterns, or they may overlook security in pursuit of convenience. However, with the frequent occurrence of security incidents, both users and development teams may begin to pay more attention to safer architectures. This advanced design solution is expected to gradually become popular in the future, reducing the occurrence of similar DEXX incidents.
From transaction authorization to private key protection, the Web3 security chain
OneOne believes that current on-chain security risks can be divided into two major categories, covering aspects from transaction authorization to private key protection.
The first common attack method is 'Approve Deception'. For example, an attacker may send a small amount of cryptocurrency or airdrop NFTs, luring users to click and authorize transactions. This could allow the attacker to gain access to the user's wallet, resulting in the theft of the user's assets (including cryptocurrencies and NFTs). Users should handle tokens and airdrops from unknown sources cautiously and avoid authorizing them easily.
Private key theft generally occurs in several ways:
The first type is 'malware attacks'. For example, some attackers pretend to invite users to test new projects, luring users to download executable files containing Trojan viruses. Once infected, the user's private keys and account passwords can be easily stolen.
The second type is 'clipboard attacks', where attackers gain access to users' clipboard through phishing websites. When users copy and paste their private keys, this sensitive information can be intercepted and exploited by attackers.
Additionally, there are cases of 'remote control attacks', where malicious remote software controls the user's computer and even directly steals private keys while the user is resting. For instance, tools commonly used by airdrop users, such as 'fingerprint browsers', often involve cloud storage functions. If breached, users' assets can be easily stolen. Many users do not set up two-factor authentication (2FA) when using these tools, further exacerbating the risks.
Lastly, there is the 'input method vulnerability'. Many users prefer using smart input methods, but these may collect users' input data and store it in the cloud, increasing the possibility of private key leakage. It is recommended that users try to use the system's built-in input method, which, although less functional, is more secure.
Overall, when users trade on-chain, especially when using DeFi applications or trading tools, they need to take additional security precautions. Authorization management is a highly important issue — because Ethereum's mechanism requires users to grant token authorization to smart contracts, attackers can exploit this authorization mechanism for malicious operations. Therefore, users should frequently check their wallet's authorization list and revoke unnecessary authorizations in a timely manner, especially those early authorizations that may have been forgotten, to reduce risk.
Moreover, when users choose DeFi platforms, they should review the platform's security measures, including whether there are comprehensive audit reports, ongoing automated security monitoring, and whether the platform regularly upgrades and fixes vulnerabilities. It is also recommended for users to diversify asset management when using Trading Bots, not to store large amounts of funds in accounts controlled by trading bots, and to transfer profits to safer wallets as soon as possible to reduce potential losses.
Club哥 stated that as a trader, it is crucial to be familiar with the mechanisms of trading tools and platforms. In the current environment of dogecoin trading, many people only focus on the thrill of price surges and drops, neglecting the security risks of trading tools. Users should set up security alerts, such as pool drain or liquidation warnings, to keep risks in check.
Veronica emphasized a simple yet important principle: there is always a compromise between efficiently pursuing profits and ensuring comprehensive security. Therefore, the key advice is to ensure fund isolation. If you find yourself anxious and unable to sleep due to oversized investment positions, frequently checking your phone, it likely indicates that your fund allocation has exceeded your risk tolerance.
What practical on-chain security query tools are available?
Veronica recommends users utilize built-in security tools in non-custodial wallets like SafePal, such as regularly checking authorization functions — users can scan all their authorization records across multiple chains and revoke unnecessary authorizations with one click to reduce the risk of being exploited by hackers.
Image source: SafePal's 'Approval Manager' feature
Additionally, scammers often disguise themselves as users' transfer addresses through small transactions to defraud funds. Currently, mainstream wallets like OKX Web3 wallet and SafePal have added risk trading interception services against 'front-and-back attacks'. At the same time, the combination of hardware wallets and password phrases (Passphrase) is also a little-known but very practical feature, especially suitable for users with multiple trading accounts.
The password phrase serves as the 13th word, combined with the original 12 mnemonic words to generate a brand new wallet address. Even if someone obtains your mnemonic words, they cannot access assets without the password phrase. This means users can create multiple wallet accounts in this way to ensure security.
This method not only enhances the security of private keys but also allows users to flexibly manage assets across multiple accounts, and the password phrase can exist only in the user's mind, further enhancing security.
Andy also emphasized that many times when users encounter security incidents, it may not only be due to risks inherent in the project but also related to insufficient security habits of the users themselves. Even if users realize they hold a significant amount of cryptocurrency or know the risks of investment trading, they still often expose their assets to danger due to bad habits.
It is recommended that users maintain an isolated security awareness and habits, such as storing large assets in cold wallets, only using them for interaction and not for direct fund transfers, while using a dedicated phone (like an iPhone) to manage crypto assets, only using it for cryptocurrency trading or private key management, and not installing other unrelated software or engaging in other activities on this device. Doing so can significantly reduce the risk of private key leakage.
Conclusion
The DEXX security incident reveals the core dilemma in the field of on-chain trading tools: how to find a balance between convenience and security?
While pursuing efficient trading and user experience, the platform's security design must not become a sacrifice. Whether it's the centralized storage of private keys or the lack of memory-level protection in its technical shortcomings, both expose user assets to high risks.
'There is always a compromise between high returns and absolute security.' For investors, understanding the risk logic behind trading tools and cultivating good security habits are fundamental to traversing the 'dark forest' of on-chain trading. In this decentralized and uncertain ecosystem, only by controlling your own private keys can you truly control your assets and promote the healthier development of the entire on-chain ecosystem.