OKX Reportedly Has ‘Serious Shortcomings’ in Security Settings

Wu Blockchain, an independent blockchain journalist, reported shortcomings in security settings in the crypto exchange, OKX.

OKX recently suffered a significant security breach involving its SMS notification system. 

Attackers reportedly exploited this vulnerability, allowing them to create new API keys with permissions to withdraw and trade. Many users have experienced thefts as a result. 

This incident at OKX is not isolated. Binance, another major exchange, has recently experienced a similar security breach. 

Per reports, OKX is conducting a thorough investigation, reaching out to affected users, and promising full accountability if found at fault.

The exchange requested patience during the investigation process and recommended enabling two-factor authentication (2FA) to prevent further breaches. Despite these reassurances, the security shortcomings revealed are causing concern among users and industry observers.

Security Shortcomings Highlighted

Blockchain reporter Wu Blockchain conducted an analysis revealing ‘serious shortcomings’ in OKX's security settings. These include:

1. Bypassing Google Authenticator Verification

OKX allows switching to lower security verification methods, such as SMS, during sensitive operations like adding a whitelist address, withdrawals, and various verification changes. This bypasses Google Authenticator (GA) verification, undermining its security benefits.

2. Lack of Withdrawal Ban for Sensitive Operations

OKX does not trigger a 24-hour withdrawal ban for sensitive operations such as disabling phone verification, disabling GA verification, and changing the login password. Withdrawal bans only apply when logging in on a new device. This represents a compromise in risk control measures for password changes.

3. Whitelist Address Withdrawals Lack Dynamic Verification

Withdrawals to whitelisted addresses are not subject to dynamic verification based on withdrawal amounts. Withdrawals up to the limit can proceed without further verification after an address is added to the whitelist. Other exchanges set limits requiring re-verification for larger amounts, providing an additional layer of security.

According to Wu Blockchain, the current shortcomings have exposed users to significant risks.