According to SlowMist's report, there seems to be a problem with the OKX DEX contract. SlowMist's analysis found that when users exchange, they authorize the TokenApprove contract, and the DEX contract transfers the user's tokens by calling the TokenApprove contract. The DEX contract has a claimTokens function that allows a trusted DEX Proxy to call it, which calls the TokenApprove contract's claimTokens function to transfer authorized user tokens. The trusted DEX Proxy is managed by the Proxy Admin, and the Proxy Admin Owner can upgrade the DEX Proxy contract through the Proxy Admin.

On December 12, 2023, at 22:23:47, the Proxy Admin Owner upgraded the DEX Proxy contract to a new implementation contract, which directly calls the DEX contract's claimTokens function to transfer tokens. Then the attacker began to call the DEX Proxy to steal tokens. The Proxy Admin Owner upgraded the contract again at 23:53:59 on December 12, 2023, with a similar implementation function, and continued to steal tokens after the upgrade. As of now, the profit is about 430,000 U.

This attack may be due to the leakage of the Proxy Admin Owner's private key. Currently, the DEX Proxy has been removed from the trusted list.