$5 000 000 USD

JULY 2021




"DDEX is a decentralized exchange platform in the process of expanding into decentralized lending so that they can offer their users the ability to create leveraged long and short positions. They're currently beta testing their decentralized margin exchange."


A "Peckshield alert shows that" "XDX Swap on DDEX, a cross-chain decentralized exchange on the Heco chain, was attacked. The attacker made a profit of 85.17 ETH (approximately $176,000). "At present, the attacker has transferred all the profits across the chain to Ethereum."


"From July 1st to 2nd, the HECO ecological chain project XDX Swap (DDEX) was attacked by hackers, and various digital virtual currencies worth more than 5 million U.S. dollars in the fund pool were stolen."


"[T]he DdeX code is suspected to have a backdoor." "The DDEX project party and the HECO White Hat Security Network Alliance team confirmed that the attack was due to a vulnerability in the project's smart contract code. The attacker used the vulnerability to steal user assets stored in the fund pool."


"HECO initiated the first node governance, and returned over 5 million USD of funds recovered from the DDEX security incident 2021-08-2119:08:0542."

The DDEX XDX Swap project is an exchange platform operating on the HECO blockchain. The funds were stored in a smart contract hot wallet, which was exploited to take $5m USD worth of assets. A node governance maneuver allowed the funds to be returned from the attacker's wallet.


The primary issue here is the safe and secure storage of funds. All platform funds were stored in a smart contract hot wallet, which is impossible to prove as secure. The issue could have been avoid by storing customer funds primarily in offline multi-signature storage.


However, no funds were lost in this case, as the governance maneuver allowed for their return.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.