A management error made users pay for it, and the victims are still waiting for compensation.

Article author: How to

Source: Odaily Planet Daily

On November 16, a major security incident broke out on the trading platform DEXX. Hackers exploited the platform's technical loopholes and stole more than $21 million in user funds, with nearly 1,000 victims. This incident not only caused serious economic losses to users, but also had a profound impact on the industry's trust mechanism, and quickly became a hot topic in the field of Web3 security.

After the incident, the DEXX project team failed to disclose the specific reasons for the theft for nearly a month. To make matters worse, the platform founder and users had a public dispute on social media, and the conflict between the two sides continued to escalate.

Recently, Roy, the founder of the DEXX platform, was interviewed and gave detailed answers to the causes of the security incident, the compensation plan for the victims, and the future improvement direction of the platform, trying to respond to various questions from the victims and the market. (Note: The following response is only the personal opinion of DEXX)

The following is the interview transcript:

Could you explain the reason for the theft of DEXX? Is it related to the platform's private key management solution?

Roy: The main reason for the theft was our team's mistake in security management, not a problem with the private key management solution itself.

We use the mainstream trading and custody solutions in the market, which are consistent with many leading platforms (such as BananaGun, Unibot, etc.). This solution has advantages in transaction speed and limit order experience, but it requires extremely high security management of the team. Our mistakes led to the leakage of private keys, and the responsibility lies entirely with us.

Although users reported that private keys were uniformly stored on the server and lacked encryption, this was a misunderstanding of the technical details. In fact, the logic of this solution is to independently generate wallet addresses and is widely used on mainstream platforms in the market. The problem is not the solution itself, but the mistakes made by our team in implementation and management.

On social media, many victims believe that their assets were stolen, but the DEXX platform insisted that it was the theft itself. How do you prove your innocence?

Roy: I have explained many times that if we really have misconduct:

· Security agencies such as SlowMist will not cooperate with us.

Investment institutions will not continue to provide funding.

Law enforcement agencies will take action against us directly rather than helping to hunt down hackers.

In fact, my team and I have no reason to destroy our future for more than 20 million US dollars. Our daily revenue can reach 300,000 or 400,000 US dollars during the peak period of business, and the platform valuation before the incident reached 60 million US dollars. If we really need funds, we can get them in a more reasonable way, such as issuing platform coins or attracting institutional investment.

What is the current progress in investigating the theft cases? What difficulties does the platform encounter in handling the incidents?

Roy: The suspect has been identified in China, but the investigation process is very complicated and involves a lot of time and resources. Law enforcement agencies have been involved since the early stages. To ensure the smooth progress of the investigation, we did not disclose details in the early stages of the case, and only released some information on December 6. Disclosure in advance may affect the progress of law enforcement or "alert the enemy", so information disclosure needs to be cautious.

For our team, handling the incident not only requires cooperation with law enforcement agencies, but also requires bearing high technical and management costs. In addition, due to the complex technical details involved in the case and the interests of investment institutions, we still need to further confirm what information can be made public.

DEXX officially announced a compensation plan on December 6, including compensation from investment and financing or compensation from self-employed income, but the victims are not satisfied. What do you think about this issue?

Roy: The compensation plan was originally designed based on the worst-case scenario. Although we knew at the time that the worst-case scenario was unlikely to happen, in order to give victims a psychological expectation of the most basic protection, we chose to announce a most conservative plan first. The actual implementation of the plan will be adjusted according to the investment of institutional funds.

At present, the connection of institutional funds has been basically negotiated, but it has not yet been finalized. Since details such as investment amount and institutional valuation have not yet been finalized, we cannot disclose them to the public for the time being. Disclosure in advance may cause market misunderstandings or affect the cooperation intentions of institutions. Therefore, we hope to explain and update the plan to users through a formal announcement after the funds are fully secured.

Victims reported that the project team was inconsistent in determining the compensation plan. For example, on November 28, they promised to determine the plan within 48 hours, but it was not announced until December 6. How do you explain this?

Roy: First of all, we admit that there is indeed a delay in the release of the plan, but the main reason comes from some uncontrollable external factors and limitations of objective conditions.

In negotiations at the institutional level, the project party is in a weak position. We hope to cooperate with more powerful and reputable institutions to strive for the best interests of users, but this means repeatedly evaluating conditions and delaying the final confirmation of the plan.

In addition, during the hacker hunt, some details involve sensitive information about the cooperation between law enforcement agencies and security companies. Excessive disclosure may cause misunderstandings and even damage the reputation of the parties involved. Therefore, we choose not to disclose it to the public for the time being.

Although the decision to delay was made out of an abundance of caution, we are deeply sorry that our failure to communicate the specific reasons to users in a timely manner led to misunderstandings, for which we are deeply sorry.

On December 6, DEXX officially announced that it will finalize the plan within 7 working days. Now that time is almost up, can the platform confirm the specific compensation plan?

Roy: Our current plan is to launch a compensation platform entrance before the deadline. The specific process is as follows:

· User confirmation of the amount of loss: The amount of loss calculated by the third-party agency may be inaccurate or incomplete, so we need users to verify and confirm whether the amount of loss is correct through the platform entrance. Once the user confirms the amount and clicks "Confirm", the final debt record is formed.

· Compensation according to claims: The confirmed claims record will be used as the basis for compensation. When the institutional funds are in place, we will make compensation as soon as possible according to the user's claim ratio.

· Clarify the debt structure and compensation plan: The "7 working days" we proposed means that we first confirm whether the debt structure is correct, and then the user checks and agrees on the amount of the debt. After this step is completed, the final debt is determined.

At present, the specific compensation plan has been formulated, but it has not been announced to the public due to factors such as institutional funds. The overall process is carried out in stages. After the institutional funds are in place, we will handle the debt compensation in echelons. If the user has any questions after confirming the amount, we will also verify and handle it according to the records.

The victim mentioned that the platform had lost contact in the few days before December 6. Why didn't you step up in time to maintain close communication?

Roy: There is no such thing as "lost contact". Many people feel this way because we may not respond to their questions within 1-2 days, and users think we are no longer responding. In fact, the pressure and uncertainty we faced at that time were very great, but we were always working hard behind the scenes to deal with the problems. The main work during this period can be divided into three stages:

Tracking the hackers: We focused our efforts in the first week on working with security agencies and law enforcement agencies to track the hackers. This was the biggest and most expensive part of the early stages.

· Security upgrade and compensation solution development: In the second week, we comprehensively upgraded the platform’s security measures and developed product features related to compensation to provide users with a compensation entry point.

Institutional docking: By the third week, we shifted our focus to negotiation and communication with institutions. This phase of work was particularly complex and required a lot of details to be dealt with.

Although our customer service team will occasionally reply to messages in the group, due to the large number of affected users and the huge number of questions, we are unable to reply to every user immediately.

In addition, there are also great restrictions on the release of announcements. Every time we release an announcement, we need to confirm with 2 to 3 security agencies or law enforcement agencies whether the content can be made public. If some information is disclosed, it will affect the law enforcement agencies' tracking of suspects. For example, law enforcement agencies locked on some suspects in the early stage, but after in-depth investigation, they found that the direction was wrong and needed to be confirmed repeatedly. These repeated verifications took up a lot of our time and energy.

Users may not be able to directly feel our efforts, but behind the scenes, we have indeed put in a huge amount of work. Whether it is tracking hackers, communicating with agencies, or developing compensation plans, we have been moving forward. It’s just that due to the restrictions of law enforcement agencies and the need to protect case investigations, we cannot announce all progress immediately.

In general, we have not lost contact. Instead, while facing pressure from multiple sides, we have worked hard to solve problems for the victims and move the situation in a positive direction.

Just this incident has caused many people to lose confidence in DEXX's security capabilities and brand trust. If DEXX is launched again one day in the future, how do you think you should gain users' trust and get them to use it again?

Roy: The core of user trust lies not only in security technology, but also in the support and guarantee behind the platform. To this end, we plan to start from the following aspects:

· Compensation transparency and fairness: The platform will launch an online verification portal, and users need to confirm the amount of damage to ensure the accuracy of the data. After confirmation, the system will generate a record of the creditor's rights and pay compensation in stages after the institutional funds are in place. The entire compensation plan will be based on the principle of openness and transparency, and the progress of compensation will be updated in real time.

Comprehensive security upgrade: Hire a number of top security auditing agencies to conduct in-depth security assessments on the platform. Publicize the upgraded security mechanism, disclose technical details and improvement plans to users. Establish a complete technical support and problem handling system to ensure the stability and security of the platform operation.

Rebuilding brand credibility: Introducing a number of world-renowned exchanges and financial institutions as endorsements to enhance users’ trust in the platform. Through a strong partnership lineup, users can clearly perceive the future security of the platform.

Optimize user emotion management: Establish an efficient user communication mechanism and respond to feedback in a timely manner. Strengthen public relations capabilities and formulate clear crisis response strategies to make users feel valued and understood emotionally.

  • Strengthening trust: We realize that 99% of users do not understand technology. What they need is not complicated explanations of security technology, but a real sense of trust. Through endorsements from multiple parties and practical actions, users can believe that the future of the platform is worthy of trust.