On November 11, DXS app, the Contract For Difference (CFD) trading platform built on Bitcoin, announced that it had been the victim of an exploit that resulted in 7,579 BSV ($282,000) in risk-free profits being captured by the attacker from March 2022 until October 2022.
Fortunately, none of the DXS liquidity providers lost funds, and the liquidity pool has a surplus of 7,149 BSV ($266,000) that continues to grow.
“It is important to acknowledge that this exploit was not a security breach, all wallets, both cold and hot, are safe. This exploit was a system vulnerability related to unlawful profit-taking, which is easy to identify with the powerful analytical tools we have in place now. Going into the future, we have developed a set of metrics that will automatically alert us of any suspicious behavior or malfunctioning price feeds,” said Armen Azatyan, the founder of DXS.
“This particular case is a massive hit for us, but it is not critical at all. Liquidity lost appx. 19% of its value, which has happened before in natural market conditions and was not noticed by any of our users or partners. Nevertheless, as a fully transparent on-chain business, we did report it and will continue to do so in the future,” he added.
How did it happen?
While a majority of DXS app users place their trades via the UI/UX of the platform, the attacker was directly broadcasting their DXS trades directly to the Bitcoin blockchain, which allowed them to circumvent some of the limitations of the UI/UX, such as the inability to place trades after the market closes/before the market opens.
“The attackers manually constructed and broadcasted transactions compliant with the Bitcoin Trading Protocol (BTP), allowing them to bypass the DXS trading platform’s UI to open stock market trading positions outside of the New York Stock Exchange trading hours. Bypassing the DXS trading platform’s UI allowed the attackers to open stock market trading positions at the previous day’s close price with the benefit of knowing how prices had moved during pre- and post-market sessions,” said DXS App’s official announcement.
According to the DXS team, the attacker was able to have success exploiting the platform for multiple months because the attack was difficult to detect at first. Trading profits on DXS are paid from the platform’s liquidity pool, which receives its funding from the losing trades on the platform, as well as the platform’s liquidity providers. But for the first several months of the attack, the liquidity pool continued to grow, which gave the illusion that everything was running smoothly.
“Until the very end of August (for six months), exploiters were draining the pool slowly, at first, the pool was even growing as a whole. In any case, a temporarily shrinking liquidity pool is not a red flag by itself; it has happened before and is natural,” said Azatyan.
“Afterward, we had been attributing the pool drainage to (1) high-frequency bot trading taking advantage of our zero-slippage policy and (2) some lagging price feeds exploited largely by accounts associated with the same actors,” he added.
However, in mid-September, when DXS App began working with the Bitcoin Association and using Chainalysis to further investigate the shrinking liquidity pool, it was able to trace the attacks back to two individuals and unearth their identities.
“We used Spokeo.com service to identify some of the exploiters’ social media accounts by emails, then BA (Bitcoin Association) helped with Chainalysis to connect all those accounts to these two individuals previously identified by Spokeo. IP addresses were additional proof. Unsurprisingly it turned out that both individuals were closely acquainted since they were sending significant amounts to each other.”
CoinGeek has been provided with anonymized correspondences between DXS App and the two attackers that reveal that both parties are working with their attorneys to end the dispute between the exploiters and the platform. While both sides work toward a resolution, DXS App will continue to make its trading platform more secure.
“DXS is growing, and word of mouth continues to spread, so we do expect more attacks in the future, and we will be ready. Within the next quarter, we will implement a real-time audit report, open source, and based on immutable txids so that anybody can openly and quickly verify our financial solvency,” said Azatyan.
Watch: The BSV Global Blockchain Convention presentation, Sentinel Node: Blockchain Tools to Improve Cybersecurity
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.