On November 16, 2024, 137Labs held a highly anticipated X Space event themed 'Security Reflections Triggered by the DEXX Incident: How to Avoid 'Pits' in Crypto Investment?'. The event invited several senior experts from the cryptocurrency field, including BlockSec founder Andy, SafePai co-founder and CEO Veronica, senior trader Trader, and 137Labs researcher OneOne, to deeply discuss the recent DEXX security incident and provide practical security advice for cryptocurrency investors.
During the event, the guests reviewed the private key theft incident encountered by DEXX and analyzed the potential risks in private key management and system design of such trading tools. The guests also explored the commonalities behind the frequent on-chain security incidents in recent years, revealing how users can more scientifically manage cryptocurrency assets, protect personal privacy, and effectively respond to new types of scams. The discussion covered multiple perspectives from diversification strategies, fund isolation, to using security tools and cultivating good security habits, providing deep security insights for the cryptocurrency community.
This article will take you through this highly informative exchange, comprehensively interpreting the security warnings behind the DEXX incident to help you better avoid risks and protect your assets in the complex and ever-changing cryptocurrency market.
Incident Review
The core issue of the DEXX incident focuses on its centralized security vulnerabilities. OneOne briefly reviewed the incident, pointing out that DEXX is a bot tool that provides priority purchasing features for meme coin trading, which recently saw a surge in users amid market frenzy around projects like $ACT. However, on the morning of November 13, multiple users reported their funds being stolen on the Solana chain, and investigations revealed that the attack originated from the compromised centralized servers of DEXX.
Specifically, DEXX requires users to submit their private keys and stores them on a centralized server. This server was attacked, and attackers successfully obtained users' private keys and transferred their assets. Further analysis indicates that DEXX's private key management has significant vulnerabilities, with private keys even being transmitted and stored in plaintext. This design flaw led to substantial losses of user funds.
Q1
What are the commonalities in similar security incidents, and why do these events keep occurring one after another?
Andy pointed out that on-chain security incidents are not new; past trading tools like UniBot have also encountered attacks, revealing fatal issues in user private key management. He explained that a so-called 'non-custodial wallet' should store private keys only on the user's device, not on the platform's servers. However, DEXX failed to achieve this, and user private keys were stored on centralized backends, increasing the risk of being attacked. Even if these private keys are encrypted, a lack of memory-level security protections (such as TE or enclave technology) may still lead to private key theft.
As tools like DEXX and Unibot gained popularity due to their efficient trading speeds, users have overlooked their security design shortcomings. Compared to the mature security teams of large exchanges, these rapidly developing tool platforms often lack sufficient security capabilities, resulting in significantly increased asset risks. Andy pointed out that users generally underestimate the security requirements of these trading tools, habitually trusting large exchanges while neglecting the risks of smaller tool platforms. He calls on the crypto community to raise security awareness, pay attention to private key management vulnerabilities, and promote better security practices to reduce the occurrence of similar events in the future.
Veronica pointed out that in cryptocurrency investment, it is difficult to balance high returns with absolute security. Trading tools like DEXX and UniBot are popular because they provide a smooth user experience, such as one-click following and quick fund transfers. However, this convenience often relies on centralized architectures, requiring users to authorize funds in advance or provide wallet access.
She explained that while DEXX claims to be a 'decentralized' and 'non-custodial' platform, the reality is that users' private keys are stored on centralized servers. In this security incident, the SlowMist team has confirmed that private keys were leaked, leading to significant asset theft for many users. Whether due to the platform's insufficient capabilities, design flaws, or even possible collusion, this incident ultimately exposed the immense risks of such designs.
Veronica emphasized that this attack method is complex, with hackers dispersing funds to multiple new wallets rather than concentrating them in a few addresses for mixing. This strategy increases the difficulty of tracking and indicates that the hackers' methods are continuously evolving, demonstrating greater sophistication. This not only makes it difficult to recover funds but also reflects the increasingly sophisticated strategies employed by attackers.
She proposed two possibilities: either the platform was hacked due to insufficient technical capabilities, or worse, there were internal collusions or deep hacker infiltrations. If the latter is true, future scams may become more complex and difficult to prevent. Veronica expressed regret that this incident caused many investors to experience a 'Black Saturday'; the SlowMist team has already received over 500 reports of victims, with total losses exceeding $13 million. She reminded users to enhance their security awareness, especially when it comes to private keys, to prevent similar incidents from happening again.
The trader pointed out that many players in the low-quality token market do not pay attention to security issues. Typically, someone in the group announces a certain contract address, and regardless of whether the project itself is reliable, everyone rushes to copy and paste it into their trading tools, hoping to make a profit. This mentality of 'either making a fortune or losing everything' leads most users to overlook the potential significant risks, resulting in their assets potentially being stolen before they can withdraw.
Q2
Can it be concluded that all similar front-running bot tools or pre-trade tools may have similar security issues and risks?
Veronica pointed out that almost all such 'front-running' trading tools may face similar security risks. She explained that these bots can achieve ultra-fast on-chain transactions and avoid manual signing each time because they sacrifice some security and non-custodial features. Typically, regardless of whether users are using hardware wallets, app wallets, or browser extension wallets, they need to spend a few seconds for manual signing confirmation. However, to enhance transaction speed and optimize user experience, these bots often compromise and reduce the security of private keys to achieve quicker transactions.
Veronica pointed out that this design is not entirely wrong, nor can it be simply said that these projects are unsafe. However, it does impose extremely high demands on the security capabilities of the development team. To achieve a smooth experience, if the development team cannot ensure robust security defense capabilities, the consequences can be severe once an attack occurs, potentially leading to significant losses for both users and the project side. Therefore, Veronica emphasizes that while these tools bring convenience to users, the potential risks are also evident, especially when the team's security defense capabilities are insufficient.
Andy added that currently, most trading bots face a significant security risk: to achieve automated trading, they typically generate and manage private keys for each user. While this approach makes it convenient for users to automate following trades, it also introduces high security risks. If attackers breach the platform, all stored user private keys may be leaked, leading to asset losses.
However, Andy pointed out that there is actually a safer trading architecture that can achieve automated trading without using the user's private key. This architecture relies on smart contracts, creating a 'PDA account' associated with the user's account, allowing transactions to be completed without the user's private key signature. The platform can execute trade instructions through a restricted 'operational account,' but the permissions of this operational account are strictly controlled, allowing only trade operations and not the arbitrary transfer of user assets.
This smart contract-driven design can significantly enhance security because users' private keys are always in their control and not stored on centralized servers. He pointed out that while this design is more complex and requires higher engineering and security technical capabilities from the team, it is entirely feasible and safer.
Currently, most users are unclear about the differences between these two design patterns, or they may overlook security in pursuit of convenience. However, Andy stated that with the frequent occurrence of security incidents, users and development teams may increasingly focus on safer architectures. He believes that such advanced design solutions are expected to gradually become popular in the future, reducing the occurrence of similar DEXX incidents.
Q3
In addition to the private key management issues exposed in today's DEXX incident, what other potential security vulnerabilities should users pay special attention to?
OneOne divides security risks into two major categories, covering aspects from trading authorization to private key protection.
First, he mentioned a common method of attack—'Approve Deception.' For example, sending small amounts of cryptocurrency or airdropped NFTs through 'dust attacks' to entice users to click and authorize transactions. This operation could allow attackers to gain access to users' wallets, thereby stealing their assets, including cryptocurrencies and NFTs. He cautioned users to be cautious when dealing with tokens and airdrops from unknown sources and to avoid authorizing them lightly.
Regarding the various ways private keys can be stolen. The first is 'malware attacks,' where some attackers pretend to invite users to test new projects, tricking users into downloading executable files that contain Trojan viruses. Once infected, users' private keys and account passwords can be easily stolen. The second is through 'clipboard' attacks, where attackers gain access to users' clipboard information via phishing websites. When users copy and paste their private keys, this sensitive information can be intercepted and exploited by the attackers.
Additionally, he mentioned cases of 'remote control attacks,' where malicious remote software manipulates users' computers, even stealing private keys while users are resting. He emphasized that some users of airdrop schemes might use 'fingerprint browsers' to manage multiple accounts. However, such browsers often involve cloud storage features, which pose a higher security risk. If these cloud storage accounts are breached, users' assets can be easily stolen. He specifically mentioned that many users do not set up two-factor authentication (2FA) when using these tools, further exacerbating the risk.
Finally, he mentioned 'input method vulnerabilities.' Many users prefer using smart input methods, but these input methods may collect user input data and store it in the cloud, increasing the risk of private key leakage. OneOne recommends that users try to use the built-in input method of the system, which, while having fewer features, offers higher security.
He concluded that to protect their cryptocurrency assets, users should implement isolation measures. For example, store large amounts of assets in cold wallets that are only used for interactions and cannot directly transfer funds. Furthermore, he stressed the importance of avoiding tools that may leak private keys in operations related to airdrops and trading, recommending cold wallets as a safer solution, especially when high security protection is needed.
Andy pointed out that users need to take extra security precautions when trading on-chain, especially when using DeFi applications or trading tools. He mentioned that authorization management is a highly critical issue for users frequently trading on Ethereum-compatible chains. Due to Ethereum's mechanism requiring users to grant token authorization to smart contracts, attackers can exploit this authorization mechanism for malicious operations. Therefore, users should regularly check their wallet's authorization list and promptly revoke unnecessary authorizations, especially those that may have been forgotten from early authorizations, to reduce risk.
He also emphasized that when users choose DeFi platforms, they should review the platform's security measures, including whether there are comprehensive audit reports, continuous automated security monitoring, and whether the platform regularly updates and fixes vulnerabilities. He noted that while understanding these security details requires some professional knowledge, it is a necessary learning cost for profiting in the DeFi space.
When using a trading bot, he advised users to ensure that their assets are diversified and not to keep large amounts of money in accounts controlled by trading bots. After making a profit, funds should be transferred to a safer wallet as soon as possible to mitigate potential losses.
The trader mentioned that as a trader, being familiar with the mechanisms of trading tools and platforms is crucial. In the current environment of trading low-quality tokens, many people focus only on the thrill of dramatic price fluctuations, ignoring the security risks of trading tools. He admitted that the theft of his assets on the DEXX platform was not accidental but stemmed from multiple oversights. He acknowledged having a basic understanding of the platform and knowing that transferring money to a wallet controlled by others is risky, but he had not conducted an in-depth review of DEXX's specific security mechanisms.
The trader mentioned that he thought his funds were safe because he did not import his mnemonic phrase. However, he underestimated the vulnerabilities in the platform's private key storage method: DEXX actually stored users' private keys in plaintext on the front end, allowing attackers to easily read and steal assets. It was only when this hidden danger was exposed that he realized his negligence in the due diligence of trading tools.
He reflected that when chasing high returns, traders should set up security alerts, such as pool drain or liquidation warnings, to keep risks under control at all times. He emphasized that blindly pursuing the thrill of low-quality token price fluctuations without paying attention to security will only lead to greater losses. He recommends that every trader judiciously assess security when choosing tools, operate rationally, and avoid being swayed by market emotions.
Veronica wants to emphasize a simple yet important principle: there is always a compromise between efficiently chasing profits and comprehensive security. Therefore, her most critical advice is to ensure fund isolation. Moreover, if you find yourself anxious and unable to sleep due to oversized investment positions, frequently checking your phone, it likely indicates that your fund allocation has exceeded your risk tolerance.
She reminds everyone that trading cryptocurrencies is one aspect, but maintaining a healthy and balanced life is equally important. Especially in high-risk asset classes, particularly meme coins, their price fluctuations can be very drastic.
Furthermore, she suggested that investors regularly assess their positions and promptly revoke unnecessary authorizations. At the same time, she encouraged everyone to pay more attention to security-related accounts, as these accounts continuously update new scam techniques and security cases. As scam techniques evolve, keeping information updated can help everyone enhance their security awareness and gradually form vigilant and rational investment habits.
Q4
What practical tools can quickly query project security? Please share some recommended on-chain security query tools with the audience.
Veronica recommends users to utilize some built-in features of non-custodial wallets. For instance, the function of regularly checking authorizations allows users to scan all their authorization records across multiple chains and revoke unnecessary authorizations with one click, reducing the risk of being exploited by hackers.
There are also some wallet features to deal with constantly updated scam techniques. She mentioned that scammers often spread mnemonic phrases to lure users into depositing funds through seemingly innocent conversations. Wallets can also identify 'tail-end phishing' scams, where scammers disguise themselves as the user's transfer address through small transactions to trick users into losing funds. Veronica recommends using established non-custodial wallets because they have more experience and protective mechanisms against these new types of scams.
Additionally, she suggested that users regularly consolidate large assets into safer cold wallets or independent accounts. Especially when participating in high-risk projects like investing in meme coins, promptly consolidating floating profits can reduce losses caused by account hacks.
Finally, she shared a lesser-known but very practical feature—password phrases. This feature is particularly suitable for users with multiple cryptocurrency accounts. The password phrase, as the 13th word, combines with the original 12 mnemonic words to generate a new wallet address. Even if someone obtains your mnemonic phrase, without the password phrase, they cannot access your assets. Users can create multiple wallet accounts in this manner, ensuring security. This method not only enhances the security of private keys but also allows users to flexibly manage assets across multiple accounts, and the password phrase can exist only in the user's memory, further enhancing security.
OneOne recommended a commonly used on-chain security tool, Scam Sniffer, suitable for use on browsers or social media platforms. He mentioned that Scam Sniffer alerts users when they encounter phishing addresses or risky websites while visiting sites or interacting on-chain. He believes it can help protect users from phishing attacks to some extent.
Additionally, he emphasized that the best security tool is actually the user's own awareness of prevention. Many security threats in Web3 stem from users neglecting the security of their digital assets, and good security habits developed in Web2, such as avoiding phishing websites and cautious authorization, should continue to be upheld in the Web3 world. OneOne reminds everyone that maintaining high vigilance and regularly updating security knowledge is the core response to on-chain security risks.
The trader admitted that many cryptocurrency investors often only raise their security awareness after suffering losses. Common security issues in daily investments include whether contracts have lost permissions, whether there are honeypots, insider trading, whether there is a risk of modifying token balances, and whether contracts have called other unsafe contracts. He emphasized that many users fall victim because they overlook these security details at the contract level. Some contracts may even replicate others, leading to malicious token transfers or hiding high fees in transactions.
The trader also reflected on his losses in the DEXX incident. He stated that although he had a sufficient understanding of trading risks and had accumulated some knowledge in methodology, without experiencing such incidents, security awareness might still not be alert enough. For him, the greatest significance of this Space was not to learn more methodologies but to reinforce security awareness once again. He reminded everyone that before impulsively participating in 'low-quality token' investments, even when seeing the project team publish the contract address, it is important to think calmly and carefully check for potential risks. He concluded that maintaining vigilance and continuously reviewing past experiences is the greatest lesson investors should learn from these experiences.
Andy pointed out that many times when users encounter security incidents, it may not only be due to risks inherent in the project itself but also related to insufficient security habits on the part of the users. Even if users realize they hold a significant amount of cryptocurrency or are aware of the risks of investment trading, they often expose their assets to danger due to bad habits.
He shared what he considers a very effective security habit: using a dedicated phone to manage and trade cryptocurrency assets. Andy suggests that investors can purchase a dedicated device, such as an iPhone, to only conduct cryptocurrency trading or private key management, without installing any other unrelated software or engaging in other activities on that device. This approach can significantly reduce the risk of private key leakage, as the dedicated device will not be affected by security threats that may arise from everyday use. He emphasized that this isolation strategy, while seemingly simple, is indeed an effective practice that can greatly enhance security.
Q5
How can one scientifically configure diversification strategies to manage personal assets? What do you consider the safest protective measures?
OneOne shared his diversification strategy in cryptocurrency investment. He stated that his investment portfolio was initially configured in a '6-3-1' ratio: 60% of funds allocated to core assets like Bitcoin and Ethereum, 30% invested in some tokens he considers high-value or certain, and the remaining 10% used for higher-risk investments, such as speculating on low-quality tokens or leveraged trading.
Additionally, OneOne will take a portion of funds specifically for airdrop and arbitrage operations. He admitted that this investment style leads to relatively complex and chaotic position allocations but also provides more flexibility. One of his key strategies is to withdraw the principal immediately after each investment doubles, ensuring locked profits and reduced risk. As a result, his original '6-3-1' position ratio has gradually shifted to a more balanced '5-5' configuration. He emphasized that reasonable diversification and timely profit locking are important measures to protect personal assets.
The trader believes that scientifically managing diversification strategies requires dynamic adjustments based on market conditions and individual investment goals. He pointed out that asset allocation is not merely about 'doubling the principal' but needs to be optimized according to market phases.
The trader also emphasized that diversification management should consider not only the macroeconomic background but also the expected development of sectors. For example, when a particular sector in the cryptocurrency market reaches a specific growth expectation or faces a technological upgrade, positions can be adjusted to shift towards emerging fields with higher potential.
Finally, he mentioned that new narratives or policy changes may also impact diversification decisions. For example, as regulatory policies or technological upgrades evolve (such as improvements in Ethereum's staking mechanism or the emergence of new infrastructure), investors should be prepared to respond and adjust their positions. He concluded that diversification management is a complex discipline, and investors need to continuously optimize their strategies based on market changes to maximize returns and control risks.
Share
OneOne shared some practical methods he used to successfully report fraud and recover losses after experiencing a scam. He pointed out that the key to reporting is finding the right department—the Anti-Fraud Center, which is currently the most efficient place for filing and handling cases, rather than a regular police station. OneOne detailed how he prepared materials: he found relevant cases involving cryptocurrency scams on the court's public website, printed them, and brought this information to the Anti-Fraud Center to request a case filing.
He also suggested collaborating with domestic organizations that have on-chain tracking capabilities, such as 'Chain Security' in cooperation with the police, to help track down and provide evidence, further increasing the chances of successful reporting. Additionally, he reminded users to emphasize that they were indeed scammed locally when reporting. OneOne admitted that this is just his personal experience and may not apply to everyone.
Conclusion
During this X Space event, the guests engaged in an in-depth security discussion regarding the DEXX incident, analyzing common security vulnerabilities of trading tools and sharing rich practical experiences and protective measures. In the face of an increasingly complex cryptocurrency market, protecting personal assets and enhancing security awareness are particularly important. It is hoped that these valuable suggestions can help every investor chase opportunities while more securely safeguarding their wealth.
This article is for sharing and communication purposes only and does not constitute investment advice.
—— END ——
