Original title: (Exclusive Interview with DEXX Founder: The responsibility for the theft lies entirely with us, the compensation platform entry is about to launch)
Original author: Fu He, Odaily Planet Daily
On November 16, a major security incident broke out on the DEXX trading platform. Hackers exploited technical vulnerabilities on the platform to steal over 21 million dollars in user funds, affecting nearly 1000 victims. This incident not only caused severe economic losses for users but also had a profound impact on the trust mechanism in the industry, quickly becoming a hot topic in the Web3 security field.
After the incident, the DEXX project team failed to disclose the specific reason for the theft for nearly a month. Worse, the platform's founder publicly argued with users on social media, leading to escalating conflicts between both parties.
Recently, DEXX platform founder Roy gave his first interview to Odaily Planet Daily, providing detailed answers regarding the cause of the security incident, the compensation plan for victims, and directions for future improvements of the platform, attempting to address various questions from victims and the market. (Odaily Note: The following responses represent the views of DEXX and do not reflect the position of Odaily Planet Daily.)
The following is a transcript of the interview.
Odaily Planet Daily: Can you explain the reasons for the theft of DEXX this time? Is it related to the platform's private key management scheme?
Roy: The main reason for the theft was our team's mistakes in security management, not the private key management scheme itself.
We are using a market-leading trading and custody solution, consistent with many leading platforms (such as BananaGun, Unibot, etc.). This solution has advantages in trading speed and limit order experiences but requires extremely high security management from the team. Our mistakes led to the leakage of private keys, and the responsibility lies entirely with us.
Although user feedback indicates that private keys are uniformly stored on the server and lack encryption, this is a misunderstanding of the technical details. In fact, the logic of this scheme is to independently generate wallet addresses, which is widely used in mainstream market platforms. The issue lies not in the scheme itself, but in our team's mistakes in implementation and management.
Odaily Planet Daily: On social media, many victims believe that the theft of assets this time was actually a self-theft by DEXX. How do you prove your innocence?
Roy: I have explained multiple times that if we really had any misconduct:
· Security agencies like SlowMist will not cooperate with us.
· Investment institutions will not continue to connect funding.
· Law enforcement agencies will take direct action against us, rather than assist in tracking the hacker.
In fact, I and the team have no reason to ruin our future for this over 20 million dollars. Our daily income during peak business periods can reach three to four hundred thousand dollars, and before the incident, the platform was valued at 60 million dollars. If we really needed funds, we could obtain them through more reasonable means, such as issuing platform tokens or attracting institutional investment.
Odaily Planet Daily: What is the current progress of the investigation into the theft case? What difficulties does the platform face in handling the incident?
Roy: The suspects have been identified within the country, but the investigation process is very complex, involving a large amount of time and resource costs. Law enforcement agencies began to intervene early on, and to ensure the smooth progress of the investigation, we did not disclose details externally in the early stages of the case, only announcing some information on December 6. Early disclosure may affect law enforcement progress or 'alert the suspects,' so information disclosure needs to be cautious.
For our team, handling the event not only requires cooperation with law enforcement but also incurs high technical and management costs. Additionally, due to the complex technical details involved in the case and the interests of investment institutions, we still need to further confirm which information can be made public.
Odaily Planet Daily: DEXX officially announced the compensation plan on December 6, including compensation through financing or self-operated income, but the victims are not satisfied. What do you think about this issue?
Roy: The initial intention of the compensation scheme was designed based on the worst-case scenario. Although we already knew that the worst-case scenario was unlikely to occur, we chose to first announce the most conservative plan to set a psychological expectation for victims about the most basic guarantees. The actual execution of the plan will be adjusted based on the investment of institutional funds.
Currently, the connection of institutional funds has been basically negotiated, but it has not yet been finalized. Due to details such as investment amounts and institutional valuations still being unresolved, we are temporarily unable to disclose this information. Early disclosure may lead to market misunderstandings or affect the willingness of institutions to cooperate. Therefore, we hope to wait until the funds are fully secured before explaining and updating the plan to users through a formal announcement.
Odaily Planet Daily: Victims reported that the project team had repeated commitments regarding the compensation scheme, such as promising to finalize the plan within 48 hours on November 28, but it wasn’t announced until December 6. How do you explain this?
Roy: First of all, we admit that there was indeed a delay in the release of the plan, but the reasons mainly stemmed from some uncontrollable external factors and limitations of objective conditions.
In negotiations at the institutional level, the project team is at a disadvantage. We hope to collaborate with stronger and more reputable institutions to secure the best interests for users, but this means repeatedly evaluating conditions and delaying the final confirmation of plans.
Furthermore, during the hacker pursuit process, certain details involve sensitive information regarding the cooperation between law enforcement and security companies. Excessive disclosure may lead to misunderstandings or even damage the reputation of related parties. Therefore, we choose not to disclose this information externally for the time being.
Although the decision to delay was made out of caution, we failed to communicate the specific reasons to users in a timely manner, leading to misunderstandings, for which we sincerely apologize.
Odaily Planet Daily: On December 6, DEXX officially stated that the plan would be confirmed within 7 working days. The time is now approaching; can the platform confirm the specific compensation plan?
Roy: Our current plan is to first launch an entry point for the compensation platform by the deadline, with the specific process as follows:
· User confirmation of the amount of loss: The loss amount calculated by the three institutions may be inaccurate or incomplete; therefore, we need users to verify and confirm whether the loss amount is correct through the platform entry. Once users confirm the amount and click 'Confirm', it will establish a final debt record.
· Compensation according to debt: Confirmed debt records will serve as the basis for compensation. Once institutional funds are in place, we will compensate users based on their debt ratios as soon as possible.
· Clarifying debt structure and compensation plan: The '7 working days' we proposed refers to first confirming whether the debt structure is correct, and then having users verify and agree on the debt amount. Once this step is completed, the final debt will be confirmed.
The specific compensation plan has been formulated, but due to factors such as institutional funds, it has not yet been disclosed. The overall process will proceed in stages, and once institutional funds are in place, we will handle debt compensation matters in tiers. If users have questions after confirming the amount, we will verify and address them based on records.
Odaily Planet Daily: Victims mentioned that the platform was unresponsive in the days leading up to December 6. Why didn’t you come forward in a timely manner to maintain close communication?
Roy: In fact, there is no so-called 'disconnection' situation. Many people feel this way because we may not have responded to their questions within 1 to 2 days, leading users to believe we are no longer responding. In fact, our pressure and uncertainty were very high at that time, but we were always working hard behind the scenes to address the issues. We can explain our main work during this time in three phases:
· Tracking the hacker: In the first week, we focused our efforts on cooperating with security agencies and law enforcement to track the hacker's movements. This was the stage with the highest initial investment and cost.
· Security upgrade and compensation scheme development: In the second week, we fully upgraded the platform's security measures and developed product features related to compensation, providing an entry for users to receive compensation.
· Institutional connections: By the third week, we shift our focus to negotiations and communications with institutions. This stage of work is particularly complex and requires handling a large number of details.
Although our customer service team occasionally replies in the group, due to the large number of affected users and the vast number of questions, we are unable to respond to each user immediately.
Moreover, there are significant restrictions on announcements. Each time we release an announcement, we need to confirm with 2 to 3 security agencies or law enforcement agencies whether the content can be made public. Some information, if disclosed, could affect law enforcement's tracking of suspects. For example, early on, law enforcement identified some suspects, but found the direction incorrect after further investigation, requiring repeated confirmation. This verification process consumed a lot of our time and energy.
Users may not intuitively feel our efforts, but behind the scenes, we have indeed put in a tremendous amount of work. Whether it’s tracking hackers, communicating with institutions, or developing compensation plans, we have been making progress. However, due to the restrictions from law enforcement and the need to protect the investigation, we cannot disclose all progress immediately.
Overall, we have not been unresponsive but have been striving to resolve issues for victims and push the situation in a positive direction while facing multiple pressures.
Odaily Planet Daily: Due to just this incident, many people have drastically decreased their trust in DEXX's security capabilities and brand credibility. If, one day in the future, DEXX goes online again, how do you think you should regain user trust and encourage them to use it again?
Roy: The core of user trust lies not only in security technology but also in the support and guarantees behind the platform. To this end, we plan to start from the following aspects:
· Transparency and fairness in compensation: The platform will launch a verification entry where users need to confirm the loss amount to ensure data accuracy. Once confirmed, the system will generate a debt record, and once institutional funds are in place, compensation will be processed in tiers. The entire compensation plan will adhere to the principle of openness and transparency, with real-time updates on compensation progress.
· Comprehensive security upgrade: Engaging multiple top security auditing agencies to conduct in-depth security assessments of the platform. Publicly upgrading the security mechanisms and disclosing technical details and improvement plans to users. Establishing a complete technical support and issue-handling system to ensure the stability and security of platform operations.
· Rebuilding brand credibility: Introducing multiple globally renowned exchanges and financial institutions as endorsements to enhance user trust in the platform. Through a strong coalition of partners, we want users to clearly perceive the platform's future security guarantees.
· Optimizing user emotional management: Establishing an efficient user communication mechanism to respond to feedback in a timely manner. Strengthening public relations capabilities and formulating clear crisis response strategies to make users feel valued and understood emotionally.
· Strengthening trust: We recognize that 99% of users do not understand technology; what they need is not complicated security technical explanations but rather a tangible sense of trust. By securing multiple endorsements and taking concrete actions, we aim to make users believe that the future of the platform is reliable.
Original link