Taking the OKX security system as a sample, clarify the two main threads of the Web3 security world

Author: 0xFat

Talking about security cannot be separated from its antonym, risk.

Recently, a series of security incidents such as the theft of Mixin, CoinEx, and the attack on HTX's hot wallet have once again drawn investors' attention to industry security issues.

According to statistics from Pie Shield, as of September 25, the total losses from the top ten hacker attacks include Mixin (loss of $200 million), Euler Labs (loss of $197 million, hackers have returned the funds), Vyper/Curve (loss of $73.6 million, hackers returned $52.3 million), CoinEx (loss of $70 million), Atomic Wallet (loss of $65 million), Stake (loss of $41 million), CoinsPaid (loss of $37.7 million), Poly Network (loss of $26 million), low-carb-crusader (loss of $25 million), and phishing targeting whales (loss of $24 million), amounting to no less than $600 million.

In the dark forest of the crypto world, risks such as hacker attacks and phishing scams are constantly occurring.

This article will take OKX, which prioritizes security as the first principle of product design, as a sample to systematically analyze the security system of the OKX Web3 wallet and OKX CEX, uncovering the essential issues in the Web3 security world from the team's actions, thoughts, and considerations.

Regarding wallet security, identifying, marking, and intercepting risks in real-time is key

According to CertiK's Q2 2023 Web3.0 industry security report, CertiK discovered a total of 212 security incidents, with malicious actors extracting $310 million worth of tokens from the Web3.0 industry. This highlights the severity of on-chain asset security issues.

Taking the commonly used Ethereum EOA account as an example, assets can generally only be transferred away in cases of lost private keys, granting approval to malicious contracts via the approve function, or signing messages that implant malicious transfer requests using the permit function.

Regarding the issue of lost private keys, on one hand, it can be due to inexperienced users losing their mnemonic phrases, which often occurs among newcomers; on the other hand, it may be due to users voluntarily entering their private keys and mnemonic phrases on phishing sites when claiming airdrops. Both situations are quite common. Additionally, there are cases where users download malicious wallets or have their computers/phones infected with trojans, leading to hackers gaining control. However, with current smartphones and computers, as long as users download software from legitimate websites and remember to update to the latest versions, it is difficult to fall victim to such attacks.

To address the issue of lost private keys due to inexperienced users, the OKX Web3 wallet has introduced an MPC non-custodial wallet to help users mitigate risks.

MPC, short for Multi-Party Computation, can be simply understood as a multi-signature wallet. The OKX Web3 MPC wallet uses MPC technology to split the private key into three fragments, which are stored by OKX exchange, the user's device, and cloud backup (iCloud/Google Drive) respectively. When creating a wallet, users only need to log into the OKX app, choose to create an address using the non-custodial wallet method, and enable cloud backup to back up the third fragment, eliminating the need to manually store the mnemonic phrase. Users need 2 out of 3 fragments to complete the signing authorization, and no plaintext private key is exposed during the transaction process. This effectively addresses the asset security issues caused by private key leakage. Additionally, OKX has set up an emergency escape function for the MPC wallet, allowing users to quickly obtain their private keys and transfer assets by entering the cloud backup password at the emergency exit in special situations, ensuring safety and convenience.

Mnemonic phrase-related security issues due to inexperienced users are often prevalent among beginners. For users with interaction experience, risks mainly arise during the approve authorization and permit signing processes, such as the phishing risks mentioned above.

The approve function is a crucial part of on-chain interactions, allowing contracts to call the transferFrom function to transfer assets from an address according to the rules defined in the contract code. Once approval is granted to a malicious contract, there is a significant risk of asset theft.

The signing risk mainly stems from the permit extension feature of the ERC20 protocol, which allows users to complete authorization operations by signing messages and sending the signed results to another wallet to complete asset transfer operations. This is commonly seen when users use DEX order features. For example, with 1inch's Fusion feature, users can sign messages for their orders, and after signing, they can delegate their assets to 1inch for processing without paying gas fees, after which 1inch will provide the tokens the user wishes to purchase. In this process, if a malicious message is forged by a website prompting the user to sign, the consequences could be regrettable.

Therefore, risk monitoring is particularly important.

The OKX Web3 team has developed an authorization management page where users can directly view their authorization status on protocols and tokens, and can cancel authorizations directly on that page to avoid unnecessary risks. For those malicious risk contracts, the OKX Web3 wallet integrates the KYT (Know Your Transaction) system to help users with risk detection. Currently, this system includes over 300 million cryptocurrency addresses and can effectively detect risks and provide automatic alerts when users interact with malicious addresses or suspicious transactions (such as phishing).

Neil, the head of security architecture for the OKX Web3 team, stated that OKX will implement layered processing for address labels in the future. Whitelisted addresses will be handled with regular prompts, graylisted addresses with standard risk warnings, and blacklisted addresses will be directly intercepted. The team will continue to build on risk prevention, risk clearing, risk coverage, and user education to strengthen the security protection system and steadfastly act as a guardian of user safety.

In fact, besides the hidden risks in the interaction environment, the security of the wallet itself is also crucial. Currently, the OKX Web3 wallet has completed the full open-source of the multi-chain signing SDK, the core algorithm of the MPC non-custodial wallet, the AA wallet, and BRC20-S. The significance of open-sourcing the code lies in achieving product transparency and reliability, while also promoting communication and open collaboration among developers through peer "evaluation," thereby advancing the development of Web3 technology.

Of course, in addition to various on-chain risks, systemic risks triggered by the collapse of centralized platforms like FTX are even more concerning.

Regarding CEX security, the focus is on self-regulation and building a robust risk control system

From the exit of Fcoin to the explosion of FTX, many CEX platforms have not escaped the curse of collapse in recent years. The reasons for this are largely due to poor internal management against the backdrop of rapid growth and a mismatch in corporate responsibility awareness, but the more fundamental reason lies in human nature.

Thus, self-restraint and self-regulation have become essential for CEX.

Since the end of last year, leading companies in the industry have begun to adopt self-regulatory models, enhancing fund transparency through mechanisms like POR and publicly disclosing user fund situations on-chain.

According to official information, OKX has released proof of reserves for 11 consecutive months, with the reserve ratios of 22 publicly listed tokens exceeding 100%. Among them, the reserve ratios for BTC, ETH, and USDT are 102%, 103%, and 102%, respectively, with a total value of $11.2 billion, making it one of the few mainstream crypto exchanges that publishes proof of reserves monthly. Relevant personnel stated that OKX is committed to enhancing the transparency of POR to traditional financial audit standards and will continue to lead the industry in safety and transparency. The POR system has been upgraded using innovative technologies like zk-STARK, allowing users to independently verify OKX's solvency at any time. As of now, hundreds of thousands of users have participated in accessing the POR page and completed self-verification.

Discussing CEX security inevitably touches on human weaknesses, but this is not something that can be overcome in the short term. For ordinary users, the focus should be on how to ensure asset safety during extreme events. For platforms, it is crucial to clearly understand that helping users "stay safe" during crises is the core competitive advantage.

During the Luna collapse, OKX's risk control system immediately activated an automatic redemption mechanism, helping users participating in UST investments to avoid disaster. In the 3Commas API data leak incident, OKX was the only platform among its many partnered exchanges where users experienced zero losses and had the most robust security performance. In the face of various challenges, OKX has consistently demonstrated outstanding "quality."

The ability to navigate through storms repeatedly lies in the OKX team's proactive simulation of potential risks and the significant time and effort invested in establishing and iterating the risk control system. The person in charge of the risk control system stated, "OKX's API system features a powerful Fast API function, IP whitelisting, anti-fraud risk control, and third-party whitelisting functions. These are core features of the OKX API risk control system. Even if hackers invade the API keys, they cannot easily use them. Although users may not perceive these measures in their daily use, they always play a silent role at critical moments."

Indeed, security does not require sensational stories; its essence lies in whether the platform can maintain a sense of responsibility at all times. This seems to require a fulcrum. The risk control leader admitted that OKX's sense of responsibility is rooted in the hope of promoting "technology for good" to take root in Web3.

Returning to the essence of security issues

As the industry develops, the types of security issues will become increasingly diverse, especially in the current market environment where many hackers are targeting the crypto world. For security guardians, the challenges will also multiply. Perhaps only with such a belief can OKX continue to move forward.

By dissecting OKX's security system, it is evident that their approach and mindset regarding Web3 security have clarified the two main threads of development in the Web3 security world, and they have established robust defenses along these two threads. We have reason to believe that OKX can play the role of a security guardian in the Web3 world in the future.

Although security issues ultimately always return to the question of whether human nature leans towards good or evil, as ordinary users, it is indeed very difficult for us to discern. We can only strive to raise our awareness of security precautions and choose platforms with significant influence as much as possible, because the greater the influence, the more they cherish their reputation, and naturally, they can adhere to righteous intentions.