DEXX Revelation: Principles for Surviving On-Chain Amidst Trading Bot Security Dilemmas

Written by: SafePal

"Dark Forest", a cosmic sociological law derived from (The Three-Body Problem), is also the most naked summary of the current Web3 security track: there is enough imaginative space and innovative gameplay on-chain, but it is also like a "dark forest", filled with bloody and cruel zero-sum games, where ordinary investors often play the role of the "prey" in an information asymmetry.

On November 16, several community users reported that the on-chain trading terminal DEXX was hacked. Subsequent analysis revealed that DEXX's private key management had significant vulnerabilities, even transmitting and storing in plaintext. As of now, the total losses from incomplete statistics exceed $20 million.

In this context, how ordinary users can improve their on-chain self-protection mechanisms has become an important topic of great concern. Veronica, co-founder and CEO of SafePal, also participated in the 137Labs-hosted 𝕏 Space event "Security Reflections Triggered by the DEXX Incident: How to Avoid Pitfalls in Crypto Investment", discussing the DEXX security incident with BlockSec founder Andy, senior trader Club Brother, 137Labs researcher OneOne, and providing practical security advice for crypto investors.

This article is a summary of the wonderful sharing by guests during this Twitter Space event, specially organized for readers.

The "unbearable burden" of front-running Bot tools

In crypto investment, high returns and absolute security are often difficult to balance. Trading Bot tools such as DEXX and Unibot have won users' favor with features like one-click following and quick fund transfers, but this convenience is built on a centralized architecture that requires users to authorize funds or provide wallet access permissions, significantly increasing asset risks.

However, users generally underestimate the security requirements of these trading tools, habitually trusting large exchanges while neglecting the risks of smaller tool platforms. The DEXX incident exposed fatal vulnerabilities in the private key management of some trading tools—real "non-custodial wallets" should ensure that private keys are only stored on user devices and not rely on centralized servers. Even if private keys are encrypted, without memory-level security protection technology (such as TEE or enclave), it cannot avoid the possibility of theft.

At the same time, the attack method this time is complex. Hackers disperse and transfer funds to increase tracking difficulty, which not only makes it harder to recover funds but also indicates that similar incidents may be more complex and difficult to prevent in the future. This also gives rise to two possibilities: either the platform is breached due to technical vulnerabilities, or there is internal embezzlement or deep infiltration. If it is the latter, future risks may be more serious.

Dune data shows that the top five trading Bots by transaction volume are: Trojan, BonkBot, Maestro, Banana Gun, and Sol Trading Bot, all with 7-day transaction volumes exceeding $100 million and cumulative user numbers exceeding 300,000. It is precisely because of this that the mindset of "either huge gains or zero" leads most users to overlook potential huge risks.

Source of the image: Dune

Veronica believes that almost all such "front-running" trading tools may face similar security risks. The reason these Bots can achieve ultra-fast on-chain trading and avoid manual signatures each time is that they sacrifice part of their security and non-custodial characteristics.

Usually, regardless of whether using hardware wallets, APP wallets, or browser extension wallets, users need to spend a few seconds for manual signature confirmation. However, to improve transaction speed and optimize user experience, these Bots typically compromise by minimizing the security of some private keys to achieve faster transactions.

This design is not entirely wrong, nor can it be simply said that these projects are unsafe. However, it does place very high demands on the security protection capabilities of the development team. To achieve a smooth experience, if the development team cannot ensure strong security defense capabilities, the consequences will be extremely serious once an attack occurs, and both users and project parties may face huge losses.

Furthermore, most trading Bots currently face a significant security risk in their design. To achieve automated trading, they usually generate and manage private keys for each user. Although this approach is convenient for users to engage in automated trading, it also brings extremely high security risks. If attackers breach the platform, all stored user private keys could be leaked, leading to asset losses.

Source of the image: DEXX "Wallet Management" page

However, in reality, there is a safer trading architecture that can achieve automated trading without using users' private keys.

This architecture relies on smart contracts, completing transactions without user private key signatures by creating "PDA accounts" associated with user accounts. The platform can execute transaction instructions through a restricted "operational account", but the permissions of this operational account are strictly controlled, allowing only transaction operations and not the arbitrary transfer of user assets.

This smart contract-driven design can significantly enhance security because users' private keys are always in their own hands and are not stored on centralized servers. Although this design is more complex and requires higher engineering capabilities and security technology from the team, it is completely feasible and more secure.

Currently, most users are not clear about the differences between these two design patterns or tend to overlook security in pursuit of convenience. However, as security incidents occur more frequently, users and development teams may pay more attention to safer architectures. This advanced design solution is expected to gradually become popular in the future, reducing the occurrence of similar DEXX incidents.

From transaction authorization to private key protection, the Web3 security chain

OneOne believes that current on-chain security risks can be divided into two main categories, covering aspects from transaction authorization to private key protection.

The first common attack method is "Approve deception". For example, similar to sending a small amount of cryptocurrency or airdropped NFT through a "dust attack" to lure users to click and authorize transactions, such actions may allow attackers to gain access to the user's wallet, thereby stealing the user's assets (including cryptocurrencies and NFTs). Users should handle tokens and airdrops from unknown sources cautiously and avoid authorizing them easily.

Private key theft generally occurs in several ways:

• The first type is "malware attacks". For example, some attackers pretend to invite users to test new projects, luring users to download executable files carrying Trojan viruses. Once infected, users' private keys and account passwords can be easily stolen.

• The second type is "clipboard" attacks. Attackers gain access to users' clipboard through phishing websites. When users copy and paste private keys, this sensitive information can be intercepted and exploited by attackers.

• In addition, there are some cases of "remote control attacks", such as manipulating users' computers through malicious remote software, even directly stealing private keys while users are resting, for example, using the commonly employed "fingerprint browser" for airdrop users often involves cloud storage functions. If compromised, users' assets can be easily stolen, and many users do not set up two-factor authentication (2FA) when using these tools, further exacerbating the risks.

• Finally, there is the "input method hazard". Many users prefer to use smart input methods, but these input methods may collect users' input data and store it in the cloud, which also increases the possibility of private key leakage. It is recommended that users try to use the built-in input methods of the system, even though they have fewer features, they are more secure.

Overall, when users are trading on-chain, especially when using DeFi applications or trading tools, they need to take extra security precautions, among which authorization management is a highly important issue. Due to Ethereum's mechanism requiring users to grant token authorization to smart contracts, attackers can exploit this authorization mechanism for malicious operations. Therefore, users should regularly check their wallet's authorization list and promptly revoke unnecessary authorizations, especially those early authorizations that may have been forgotten, to reduce risks.

In addition, when users choose DeFi platforms, they should review the platform's security measures, including whether there are comprehensive audit reports, continuous automated security monitoring, and whether the platform regularly updates and patches vulnerabilities. When using Trading Bots, it is recommended that users manage their assets in a diversified manner and not keep large sums of money in accounts controlled by trading robots. After making a profit, funds should be transferred to a safer wallet as soon as possible to reduce potential losses.

The trader said that as a trader, it is crucial to be familiar with the mechanisms of trading tools and platforms. In the current environment of trading low-quality coins, many people only focus on the thrill of price surges and drops, neglecting the security risks of trading tools. Users should set up security alerts, such as pool drainage or liquidation warnings, to monitor risks at all times.

Veronica emphasized a simple yet important principle: there is always a compromise between efficiently chasing profits and comprehensive security. Therefore, the most critical advice is to ensure fund isolation. If you find yourself anxious and unable to sleep due to large investment positions, frequently checking your phone, it likely indicates that your fund allocation has exceeded your risk tolerance.

What are some practical on-chain security query tools?

Veronica recommends users to utilize built-in security tools in non-custodial wallets like SafePal, such as the function to regularly check authorizations—users can scan all authorization records across multiple chains and revoke unnecessary authorizations with one click to reduce the risk of being exploited by hackers.

Source of the image: SafePal "Approval Manager" feature

In addition, scammers often disguise as users' transfer addresses through small transfers to defraud funds. Currently, mainstream wallets like OKX Web3 Wallet and SafePal have added risk transaction interception services against "front-and-back attacks". At the same time, hardware wallets + password phrases (Passphrase) are also a lesser-known but very practical feature, especially suitable for users with multiple trading accounts.

The password phrase acts as the 13th word, generating a brand new wallet address combined with the original 12 mnemonic words. Even if someone obtains your mnemonic words, they cannot access the assets without the password phrase. This means that users can create multiple wallet accounts in this way to ensure security.

This method not only increases the security of private keys but also allows users to flexibly manage assets across multiple accounts, with the password phrase only existing in the user's mind, further enhancing security guarantees.

Andy also emphasized that many times when users encounter security incidents, in addition to risks existing within the project itself, they may also relate to users' insufficient security habits. Even if users are aware that they hold a large amount of cryptocurrency or know that investment trading carries risks, they often expose their assets to danger due to bad habits.

Users are advised to maintain an isolated security awareness and habits, such as storing large assets in cold wallets that are used solely for interaction and cannot directly transfer funds, while using a dedicated phone (like an iPhone) to manage crypto assets, using it only for cryptocurrency transactions or private key management, and not installing other unrelated software or engaging in other activities on this device. This significantly reduces the risk of private key leakage.

Conclusion

The DEXX security incident reveals the core dilemma in the field of on-chain trading tools: how to find a balance between convenience and security?

While pursuing efficient trading and user experience, the platform's security design must not be sacrificed. Whether it is the centralized storage of private keys or the lack of memory-level protective technology shortcomings, it will expose users' assets to high risks.

"There is always a compromise between high returns and absolute security." For investors, understanding the risk logic behind trading tools and cultivating good security habits is the foundation for navigating the "dark forest" of on-chain activities. In this decentralized and uncertain ecosystem, only by controlling your private keys can you truly control your assets and promote the healthier development of the entire on-chain ecosystem.