On November 16, user assets on the on-chain trading terminal DEXX were stolen, leading to significant short-term dumps of multiple meme coins and severely dampening the enthusiasm of the meme market. According to incomplete estimates from the community, the DEXX incident has impacted over 500 independent victims, with losses estimated to be around $13 million.
DEXX founder Roy stated that user losses would be compensated, and several users reported that their assets had been isolated to secure addresses. However, in similar past incidents, cases where funds were successfully recovered and users satisfactorily compensated have been rare.

Security Vulnerability—Private Keys

Following the DEXX theft, the community has begun to re-examine this meme-specific trading platform.
DEXX’s audit was conducted by Certik, which scored DEXX at 59.31, a failing grade that highlighted 9 risks. The main risk, “centralization,” remained unresolved; two out of four medium-level risks, including “vulnerable code,” were still unaddressed; and of four low-level risks, only one had been resolved.

Previously, DEXX claimed to use a non-custodial wallet for private key storage. However, community observations revealed that DEXX actually managed user private keys through centralized methods.
SlowMist founder Yu Jian noted, “The affected users were those involved in meme coin trading on DEXX. The private keys were centrally managed by DEXX and were definitely leaked, though the method of the leak is still under investigation.”
Additionally, the community discovered that during private key export through developer tools, DEXX private keys were displayed in plaintext, meaning they were actually stored on official servers. If communication was not encrypted, attackers could intercept user private keys during transmission. Even with HTTPS transmission, transferring private keys directly could lead to data breaches due to browser vulnerabilities or other security issues.
Whether the incident is ultimately deemed a hacker attack or insider misconduct, it is evident that DEXX operated under the mindset that “users don’t understand, are easily deceived, and don’t care whether private keys are genuinely non-custodial.” While we cannot control project teams’ attitudes or actions, we can adopt principles to minimize our losses in similar incidents. Without strict risk management of one’s own assets, there is no guarantee of secure funds.

How to Protect Yourself

Custodial vs. Non-Custodial Wallets

Choosing a secure way to store assets starts with selecting a reliable wallet based on your needs. Mainstream crypto wallets can be categorized into custodial and non-custodial wallets based on where the private keys are stored.

Custodial Wallets

Custodial cryptocurrency wallets store assets on behalf of users. This means a third party holds and manages the private keys. Consequently, users cannot have complete control over their funds or sign transactions. When choosing a custodial service provider, consider factors such as regulatory status, service types, private key storage methods, and whether insurance is provided.

Non-Custodial Wallets

Non-custodial cryptocurrency wallets give users full control of their private keys. This type of wallet is suitable for those who wish to have complete control over their funds. Without intermediary intervention, users can directly trade cryptocurrencies from their wallets. However, this also means users bear full responsibility for their keys, facing risks like loss and attacks.

Asset Segregation

Just as you wouldn’t put all your eggs in one basket, it’s important to effectively segregate your assets. Here’s a standard approach to asset storage:

1. Hot Wallet: Used for frequent interactions, this wallet should not store large amounts of assets—just enough to cover gas fees. This wallet is suitable for engaging in opportunities but should be set up to control potential phishing attack losses.
2. Warm Wallet: An isolated wallet for assets with less frequent interactions, such as those used for staking. It allows for transactions but at a lower frequency than the hot wallet, reducing the risk of key leaks.
3. Cold Wallet: Large assets should be stored in a hardware wallet (cold storage) that does not interact online.

Security Recommendations

1. Be skeptical of unsolicited recommendations; always DYOR (Do Your Own Research) on the product mechanisms. Use trading bots that do not store private keys on servers.
2. Opt for trading bots with long-standing operations and professional teams.
3. Avoid clicking on unknown links or responding to messages in Telegram groups.
4. Transfer large funds to a cold wallet after transactions, regardless of the tools used.

Reminder: There have been reports of phishing scams targeting DEXX victims, such as “victim support groups,” “DEXX theft registration,” or “DEXX compensation” offers. Users should be cautious, avoid uploading private keys or seed phrases, and not connect wallets for confirmations to prevent further harm.