What can we learn from the DEXX incident?

Recently, the DEXX platform has encountered a serious asset theft crisis. As a multi-chain on-chain comprehensive trading tool, DEXX supports functions such as quick trading, anti-MEV, and strategic trading. Under the outbreak of memecoin market, it has provided hundreds of thousands of users with an extremely convenient trading experience. However, on November 16, many users found that their account assets were emptied.

The reason is that it adopts a centralized asset custody form similar to that of an exchange, but does not adopt an asset management solution with a corresponding level of security. This architecture exposes almost all users' assets to risks.

This incident not only reveals DEXX’s loopholes in asset management, but also provides us with an opportunity to gain a deeper understanding of the risks of custodial wallets.

The difference between managed and self-hosted accounts

Custodial account : In the traditional financial field, centralized financial institutions have complete control over user assets, and users must apply to institutions to redeem funds. For example, the address assigned to users by centralized exchanges is only used for top-up, and users do not have operation permissions. All transactions, transfers, and withdrawals must be approved by the platform.

This means that the platform's risk control level will greatly affect the security of user assets.

Self-custodial account : A self-custodial account is a solution that uses a decentralized wallet solution, where users have full control over the ownership of their assets. After users generate a mnemonic or private key in a trusted environment, they can transfer assets in the address without anyone's permission.

Whether the user exclusively controls the private key or mnemonic phrase of the address is the key feature that distinguishes custody from self-custody.

The difference between DEXX theft and exchange theft

Exchange account thefts usually fall into two situations: the user's platform custodial account control permissions are exposed, resulting in illegal transfer of assets, or the platform itself is hacked, the assets in the hot wallet are directly transferred out, or even the private key and mnemonic phrase of the cold wallet are stolen.

DEXX adopts a similar centralized account architecture, allowing users to create addresses on the platform and share address operation permissions with users. However, unlike CEX, the former does not pool users’ escrow funds into several centralized addresses for security management - such as cold and hot wallet isolation, multi-signature management, etc., which also creates conditions for the occurrence of single point failures.

How should users avoid custody risks?

• Security and convenience trade-off: Although traditional on-chain transactions are cumbersome, bypassing these steps in pursuit of trading opportunities will increase risk. Therefore, it is recommended that users adopt custodial services appropriately based on a full understanding of the risks and limit risk exposure to an acceptable range.

• Don’t trust blindly: Don’t easily give your address permissions to others or tools. In daily use, you should manage your permissions and avoid using suspicious applications or clicking on unknown links.

• Learn Web3 anti-fraud knowledge: Understanding common fraud methods can help investors avoid most potential risks. Bitrace has compiled a Web3 anti-fraud manual to help ordinary investors improve their security awareness. You can visit this link to get it: https://bitrace.io/en/blog

Conclusion

The DEXX incident shows that while enjoying the convenience brought by blockchain technology, one must always remain vigilant. By understanding the risks of custodial wallets and taking corresponding preventive measures, investors will be able to better protect their digital assets.