DEX

OKX DEX suffers $2.7M exploit after proxy admin contract upgrade

The OKX DEX suffered an exploit resulting in a loss of around $2.7 million in cryptocurrencies after a proxy admin upgraded a contract that allowed a hacker to compromise the private key.

OKX decentralized exchange (DEX) suffered a $2.7 million hack on Dec. 13 after the private key of the proxy admin owner was reported to be leaked. 

On Dec. 13, the blockchain security firm SlowMist Zone posted on X (formerly Twitter) that OKX DEX “encountered an issue.” According to the report, the issue began on Dec. 12, 2023, at approximately 10:23 pm after the proxy admin owner upgraded the DEX proxy contract to a new implementation contract and the user began to steal tokens.

Until September 2023, research shows that the crypto industry has suffered $1.5 billion in losses due to hacks, exploits and scams this year.

Read more

Lifinity USDC pool drained by arbitrage bot

A bug on an Immediate-or-Cancel order led to the drainage of nearly $700,000 from Lifnity’s LFNTY-USDC pool.

Decentralized exchange Lifinity had its LFNTY-USDC pool drained by an arbitrage bot on Dec. 8. According to Lifinity’s Discord channel, an unexpected response to a failed trade caused the $699,090 loss.

A Lifinity’s core member known as Durden explained that a bot attempted an arbitrage trade following the route USDC > xLFNTY > LFNTY > USDC, trying to profit from price discrepancies between different trading pairs.

The bot initiated an immediate-or-cancel market order on Serum v3, a type of order that must be executed immediately at the current market price if filled. Orders that cannot be filled immediately are canceled.

Read more

Uniswap launches iOS mobile wallet in select countries

The decentralized exchange had previously stated that Apple was not allowing the app to be listed on the App Store.

Decentralized exchange Uniswap has launched a mobile wallet that features built-in support for the exchange, according to an April 13 announcement from the company. The app is available for iOS devices in select countries and can be found in Apple’s App Store.

The Uniswap team complained on March 3 that Apple was blocking the app from its stores. But in this new announcement, the team said that its wallet is “out of Apple jail and now live in most countries.”

Uniswap said the new wallet allows users to swap tokens on the Ethereum, Polygon, Arbitrum and Optimism networks. It can also be connected to any Ethereum app through WalletConnect. Users can back up their accounts by either writing down their seed phrase or encrypting their key vaults with a password and storing them in iCloud.

The Uniswap app also allows users to see detailed information about nonfungible tokens (NFTs) stored within it, including their floor prices and collections.

Related: Uniswap funds DAO incentive improvement project

To make Web3 onboarding easier, several wallet developers have offered mobile apps with built-in decentralized finance (DeFi) functions over the past few years. In 2020, Argent integrated MakerDAO and other DeFi protocols with its wallet app, and 1inch provided similar integrations in 2021.

Uniswap is Ethereum’s largest decentralized crypto exchange, with over $3.4 billion of total value locked inside of its smart contracts, according to its own analytics page.

Cointelegraph reached out to the Uniswap team for a list of countries where the app is available but was unable to get a response by the time of publication.

SushiSwap approval bug leads to $3.3 million exploit

Only users who have traded on the decentralized exchange in the last four days are apparently affected.

A bug on a smart contract on the decentralized finance (DeFi) protocol SushiSwap led to over $3 million in losses in the early hours of April 9, according to several security reports on Twitter. 

Blockchain security companies Certik Alert and Peckshield posted about an unusual activity related to the approval function in Sushi’s Router Processor 2 contract — a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins. Within a few hours, the bug led to losses of $3.3 million.

According to DefiLlama pseudonymous developer 0xngmi, the hack should only affect users who swapped in the protocol in the past four days.

Sushi’s head developer Jared Grey urged users to revoke permissions for all contracts on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue,” he noted. A list of contracts on GitHub with different blockchains requiring revocation has been created to address the problem.

Hours after the incident, Grey took to Twitter to announce that a “large portion of affected funds” had been recovered through a whitehat security process. “We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.”

The Sushi’s community has had an intense weekend. On April 8, Grey and his counsel provided comments on the recent subpoena from the United States Securities and Exchange Commission (SEC).

“The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws,” he stated.

Grey claims to be cooperating with the investigation. A legal defense fund in response to the subpoena was proposed on Sushi’s governance forum on March 21.

Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them

SushiSwap approval bug leads to $3.3M exploit

Only users who have traded on the decentralized exchange in the last four days are apparently affected.

A bug on a smart contract on the decentralized finance (DeFi) protocol SushiSwap led to over $3 million in losses in the early hours of April 9, according to several security reports on Twitter. 

Blockchain security companies CertiK Alert and Peckshield posted about an unusual activity related to the approval function in Sushi’s Router Processor 2 contract — a smart contract that aggregates trade liquidity from multiple sources and identifies the most favorable price for swapping coins. Within a few hours, the bug led to losses of $3.3 million.

According to DefiLlama pseudonymous developer 0xngmi, the hack should only affect users who swapped in the protocol in the past four days.

Sushi’s head developer, Jared Grey, urged users to revoke permissions for all contracts on the protocol. “Sushi’s RouteProcessor2 contract has an approval bug; please revoke approval ASAP. We’re working with security teams to mitigate the issue,” he said. A list of contracts on GitHub with different blockchains requiring revocation has been created to address the problem.

Hours after the incident, Grey took to Twitter to announce that a ”large portion of affected funds” had been recovered through a white hat security process. “We’ve confirmed recovery of more than 300ETH from CoffeeBabe of Sifu’s stolen funds. We’re in contact with Lido’s team regarding 700 more ETH.”

The Sushi community has had an intense weekend. On April 8, Grey and his counsel provided comments on the recent subpoena from the United States Securities and Exchange Commission.

“The SEC’s investigation is a non-public, fact-finding inquiry trying to determine whether there have been any violations of the federal securities laws. To the best of our knowledge, the SEC has not (as of this writing) made any conclusions that anyone affiliated with Sushi has violated United States federal securities laws,” he stated.

Grey claims to be cooperating with the investigation. A legal defense fund in response to the subpoena was proposed on Sushi’s governance forum on March 21.

Magazine: Hodler’s Digest, April 2-8: BTC white paper hidden on macOS, Binance loses AUS license and DOGE news

Uniswap v3 code free to fork as BSL expires

The license expiration marks a significant event within the DeFi ecosystem, enabling developers to deploy their own decentralized exchange.

Developers are now allowed to fork Uniswap v3 protocol as its Business Source License (BSL) expired on April 1, shows protocol documentation. The expiration was a much-anticipated event within the decentralized finance (DeFi) ecosystem, enabling developers to deploy their own decentralized exchange (DEX). 

The BSL license lasts for a limited period before becoming completely open source. The purpose is to protect the author’s right to profit from their creations. Uniswap v3’s license was released in 2021 for two years, preventing its code from commercial use. A new license called a “General Public License” now applies to the protocol.

To fork the code, developers will be required to use an “Additional Use Grant” — a production exemption meant to accommodate both the needs of open-source and commercial developers.

Screenshot: Uniswap V3 core smart contracts repository on GitHub. Source: GitHub

Uniswap is a widely utilized decentralized exchange — considered the biggest automated market maker in DeFi space — providing a platform where token creators, traders and liquidity providers swap tokens. Its native Uniswap (UNI) token is a popular way for investors to gain exposure to the DeFi market.

In May 2021, shortly after being launched, Uniswap v3 surpassed Bitcoin in terms of daily fee generation, Cointelegraph reported. Data from Cryptofees showed that Uniswap v3 was generating $4.5 million in daily fees at that time, while Bitcoin generated $3.7 million.

Uniswap v3 Total Value Locked. Source DefiLlama.

Earlier this month, Unisawp officially went live on the BNB Chain — Binance’s smart contract blockchain — after more than 55 million UNI tokenholders voted in favor of a governance proposal by 0x Plasma Labs to deploy the protocol on the BNB Chain. Through the move, Uniswap users can access BNB Chain’s ecosystem for trading and swapping tokens. The integration also allowed Uniswap to tap into a liquidity pool with BNB Chain’s DeFi developer community.

Magazine: DeFi abandons Ponzi farms for ‘real yield’

Crypto users turned to DEXs, loaded up on USDC after Silicon Valley Bank crash

The collapse of FTX led to a similar exodus from centralized exchanges, as users worried they may lose access to funds during crises.

The collapse of Silicon Valley Bank saw investors loading their bags with USD Coin (USDC), along with an exodus of funds from centralized exchanges (CEXs) to decentralized exchanges (DEXs).

Outflows from centralized exchanges often spike when the markets are in turmoil, blockchain analysis firm Chainalysis said in a March 16 blog post, as users are likely worried about losing access to their funds when exchanges go down.

Funds sent from CEXs to DEXs following SVB’s collapse. Source: Chainalysis

The Chainalysis data shows that hourly outflows from CEXs to DEXs spiked to over $300 million on March 11, soon after SVB was shut down by a California regulator.

A similar phenomenon was observed during the collapse of cryptocurrency exchange FTX last year, amid fears that the contagion could spread to other crypto firms.

However, data from the blockchain analytics platform Token Terminal suggests that the surge in daily trading volumes for large DEXs was short-lived in both cases.

Daily trading volumes for large DEXs from September to March. Source: Token Terminal

USDC was identified as one of the top assets being moved to DEXs, which Chainalysis said was unsurprising given that USDC depegged after stablecoin issuer Circle announced it had $3.3 billion in reserves stuck on SVB, prompting many CEXs like Coinbase to temporarily halt USDC trading.

Related: Circle clears ‘substantially all’ minting and redemption backlog for USDC

What was surprising, Chainalysis noted, was the surge in USDC acquisitions on large DEXs such as Curve3pool and Uniswap. “Several assets saw large spikes in user acquisition, but none more than USDC,” the blockchain analysis firm wrote.

Token acquisitions on Uniswap from March 7 to March 14. Source: Chainalysis

Chainalysis theorized that this was due to confidence in the stablecoin, with some crypto users loading up on USDC while it was relatively cheap and betting that it would regain its peg — which it did on March 13 according to CoinMarketCap.

USDC’s brief depeg from March 11 to March 13. Source: CoinMarketCap

Orca DEX to block US users from trading with its interface

The company said U.S. traders would still be able to make swaps by directly interacting with Orca’s smart contracts, however.

The Solana-based decentralized exchange (DEX) Orca will block all United States users from trading using its web interface beginning March 31, according to a March 16 notice posted to its official website. 

The exchange did over $634 million worth of trading volume in February and has over $46 million total value locked in Solana smart contracts, according to DefiLlama.

On March 16, the protocol’s website added a notification that read, “Orca will be adding the United States to the regions and countries which are restricted from trading on orca.so effective March 31, 2023.”

Notice appearing on Orca’s website. Source: Orca

The alert emphasized that the change “will not impact the ability of U.S. users to directly interact with Orca’s smart contract or SDK, nor will it impact their ability to provide liquidity through orca.so.

Americans who directly interact with Orca smart contracts will not be affected by the change, the notice said.

Orca is one of the DEXs used by Jupiter to source liquidity for its swap aggregator service, so Jupiter’s website may be an alternative for traders wanting to interact with Orca smart contracts.

Cointelegraph attempted to contact both Orca and Jupiter but did not receive a response from either by the time of publication.

Centralized crypto exchanges that are not licensed in the U.S. have often blocked American users to avoid the ire of the country’s regulators, but most decentralized exchanges have not followed suit, with a few exceptions. Aggregator 1inch began blocking American users in September 2021, after stating in its terms of use that U.S. residents were not allowed to use its interface. Binance DEX also banned U.S. users in June 2019.

Unlike centralized exchanges, DEXs do not have a centralized “back end” or database controlled by the developer. For this reason, many users have found that they can circumvent geographical bans in most cases by using a VPN to hide their IP address or by connecting directly to the blockchain through a development tool such as Truffle or Hardhat.

Blockchain DEXs Onchain and Camelot part ways over IFO spat

“We urge @CamelotDEX delete any information related to @OnchainTrade from all of your platforms as soon as possible,” wrote Onchain developers.

In a dispute that originated on Feb. 22, decentralized exchanges (DEXs) Onchain Trade and Camelot terminated an agreement for the former’s initial fair offering (IFO), with both firms alleging that the opposing counterparty acted in bad faith. An IFO, while still an emerging concept, typically involves promises made by developers consisting of no venture capitalist involvement, no whitelist, no presale and vast majority of income going to tokenholders, on top of a traditional initial coin offering. 

As told by Onchain, developers began negotiations with Camelot for an IFO, for which the latter charged a fee of 2%, and both parties agreed upon the amount. In addition, Camelot required that Onchain exclusively sell tokens on its platform, to which Onchain also agreed. However, at this point, Onchain alleged that Camelot became “more demanding and trying to start another round of bargain; we started feeling uncomfortable working with Camelot and decided to terminate deal with them altogether.”

In a follow-up tweet in Chinese, Onchain, which stated its core developers “come from China,” explained that the root cause of the disagreement was the “no-limit” token sale allegedly demanded by Camelot. “There are many opportunities in the bear market; retail investors simply don’t have the risk management and valuation capabilities to assess projects,” Onchain developers wrote. 

In response, Camelot said that Onchain’s statements were “false allegations.” According to Camelot’s version of the story, its IFO sales model “was never mentioned as being an issue from their team [Onchain].”

“This low number [2% fee] which never once changed from our side, was set well below market for such a launch due to a desire to support the ecosystem and facilitate a protocol transitioning over from zksync.”

Regarding exclusivity, Camelot explained that “doing a multiple IDO [IFO] model isn’t feasible, and the same was clearly communicated, and on multiple occasions the OCT team confirmed understanding.” The firm then accused Onchain’s leadership of “acting in bad faith or simply being inexperienced” and “denials after the fact” in a series of direct messages, which Camelot said led to their cancellation of the deal.

“We’ll work hard to try and make every project succeed, but some will and some won’t. But in the end, those that fail to understand your words matter, will never have a seat on the Round table.”

To which Onchain replied, “Tricking us into canceling deal with other partners and starts bargaining round over round thinking we can’t live without you, calling that good faith.” Onchain has since decided to move its IFO directly onto its website. At the time of publication, Cointelegraph was not able to independently confirm the allegations presented by either party.


Dexible aggregator hacked for $2M via ‘selfSwap’ function

The buggy function was intended to allow users to provide their own routing information, but the code did not limit routers to a preapproved list.

The multichain exchange aggregator Dexible has been hit by an exploit, and $2 million worth of cryptocurrency has been lost as a result, according to a Feb. 17 post-mortem report released by the team on the project’s official Discord server.

As of 6:35 pm UTC on Feb. 17, the Dexible front end shows a popup warning about the hack whenever users navigate to it.

At 6:17 am UTC, the team reported that it had discovered “a potential hack on Dexible v2 contracts” and was investigating the issue. Approximately nine hours later, it released a second statement that it now knew “$2,047,635.17 was exploited from 17 trader addresses. 4 on mainnet, 13 on arbitrum.”

A post-mortem report was issued at 4:00 pm UTC as a PDF file and released on Discord, and the team said it was “actively working on a remediation plan.”

In the report, the team states that it had noticed something was wrong when one of its founders had $50,000 worth of crypto moved out of his wallet for reasons that were unknown at the time. After investigating, the team found that an attacker had used the app’s selfSwap function to move over $2 million worth of crypto from users that had previously authorized the app to move their tokens.

The selfSwap function allowed users to provide the address of a router and calldata associated with it to make a swap of one token for another. However, there was no list of preapproved routers written into the code. So, the attacker used this function to route a transaction from Dexible to each token contract, moving users’ tokens from their wallets into the attacker’s own smart contract. Because these malicious transactions were coming from Dexible, which users had already authorized to spend their tokens, the token contracts did not block the transactions.

Related: NFT influencer falls victim to cyberattack, loses $300K+ CryptoPunks

After receiving the tokens into their own smart contract, the attacker withdrew the coins through Tornado Cash into unknown BNB (BNB) wallets.

Dexible has paused its contracts and urged users to revoke token authorizations for them.

The common practice of authorizing token approvals for large amounts has sometimes led to losses for crypto users due to buggy or outright malicious contracts, leading some experts to warn users to revoke approvals on a regular basis. The front ends for most Web3 apps do not directly allow users to edit the amount of tokens approved, so users often lose the full balance of their tokens if an app turns out to have a security flaw. MetaMask and other wallets have tried to fix this problem by allowing users to edit token approvals at the wallet confirmation step, but many crypto users are still unaware of the risk of not using this feature.