QI Quadriga Initiative

Jul 2021 - DDEX XDX Swap Backdoor - $5m (Global)

"DDEX is a decentralized exchange platform in the process of expanding into decentralized lending so that they can offer their users the ability to create leveraged long and short positions. They're currently beta testing their decentralized margin exchange."

A "Peckshield alert shows that" "XDX Swap on DDEX, a cross-chain decentralized exchange on the Heco chain, was attacked. The attacker made a profit of 85.17 ETH (approximately $176,000). "At present, the attacker has transferred all the profits across the chain to Ethereum."

"From July 1st to 2nd, the HECO ecological chain project XDX Swap (DDEX) was attacked by hackers, and various digital virtual currencies worth more than 5 million U.S. dollars in the fund pool were stolen."

"[T]he DdeX code is suspected to have a backdoor." "The DDEX project party and the HECO White Hat Security Network Alliance team confirmed that the attack was due to a vulnerability in the project's smart contract code. The attacker used the vulnerability to steal user assets stored in the fund pool."

"HECO initiated the first node governance, and returned over 5 million USD of funds recovered from the DDEX security incident 2021-08-2119:08:0542."

Further Analysis

The DDEX XDX Swap project is an exchange platform operating on the HECO blockchain. The funds were stored in a smart contract hot wallet, which was exploited to take $5m USD worth of assets. A node governance maneuver allowed the funds to be returned from the attacker's wallet.

How Could This Have Been Prevented?

The primary issue here is the safe and secure storage of funds. All platform funds were stored in a smart contract hot wallet, which is impossible to prove as secure. The issue could have been avoid by storing customer funds primarily in offline multi-signature storage. However, no funds were lost in this case, as the governance maneuver allowed for their return.

More Cryptocurrency Exchange Hacks/Scams/Frauds

ChainSwap ETH Exploit > > < < Haven Protocol Triple Attack

Sources/Further Reading

SlowMist Hacked - SlowMist Zone (Dec 31)
Shield: XDX Swap on DDEX, a cross-chain decentralized exchange on HECO, was hacked, and the attackers made nearly $180,000 - 律动BlockBeats (Dec 31)
Taking undercollateralized loans for fun and for profit (Dec 31)
Peckshield: the xdx swap on the DdeX of the cross chain decentralized exchange on the heco chain is attacked, and the DdeX code is suspected to have a backdoor - 优源码-区块链 (Dec 31)
微博 (Dec 31)
HECO发起初次节点治理,原路返还DDEX安全事件追回的超500万USD资金_云币网 (Dec 31)
XDX Swap LP Token (SLP) Token Tracker | BscScan (Dec 31)
Contract Address 0x62caa121ffd7fd0fea8acdec43d0926a66d70d4a | BscScan (Dec 31)
PeckShield:Heco 链上跨链去中心化交易所 DDEX 上 XDX Swap 遭到攻击,DDEX 代码疑似存在后门 - 链闻 ChainNews (Dec 31)


Join Us!

Name: Email:

t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com

Sign-Ups: 49.8%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.