What happened?

As a fully transparent on chain business we are reporting the following:

Between March 2022 and October 2022, two individuals colluded and exploited a vulnerability on the DXS trading platform allowing them to capture 7,579 BSV ($282k USD) in risk-free profits over 2,255 separate trading positions.

The good news is that the liquidity pool still has a surplus of 7,149 BSV ($266k USD) meaning that no liquidity provider has lost funds and the pool is quickly recovering (over 1,525 BSV added in 32 days post exploit fix).

We would like to take this opportunity to apologize to our existing liquidity providers. We feel we have damaged our reputation and will attempt in this post to regain some trust.

What was the exploit?

The attackers manually constructed and broadcasted transactions compliant with the Open Liquidity Protocol (OLP) allowing them to bypass the DXS trading platform’s UI to open stock market trading positions outside of the New York Stock Exchange trading hours.

An example is shown below for BSV/USD:

Such activity is necessary to bypass the DXS trading platform’s UI, which blocks out-of-hours trading:

Bypassing the DXS trading platform’s UI allowed the attackers to open stock market trading positions at the previous day’s close price with the benefit of knowing how prices had moved during pre- and post-market sessions.

Here’s what we should have done:

1. We should have had better controls in place that checked the validity of trading positions against market opening hours. There were controls like this actually in place, but they were not properly tested and did not operate as expected.

2. We should have had better analytics tooling in place to monitor the suspicious trading behavior of DXS traders.

We have since remedied the above.

What’s the damage?

Recall that trading profits on DXS are paid from the Open Liquidity Protocol’s (OLP) liquidity pool. The liquidity pool is funded by liquidity providers (in blue below). In addition to contributions from liquidity providers, the liquidity pool gradually accrues a surplus (in green below) as it absorbs the excess trading losses of DXS traders:

The effect of the exploit is shown below in red:

During the period of the exploit, a small percentage of available session liquidity was absorbed by the attackers (in red below) increasing the frequency of profit deductions (in blue below):

What are you going to do about this exploit, DXS?

We have identified the two individuals responsible for this exploit. We are communicating with these individuals and will attempt to return the stolen 7,579 BSV to the liquidity pool by any lawful means possible.

It is a massive hit, but there is no doubt in our mind that the DXS pool will quickly recover, as already proven by our track record before the exploit and by adding over 1,500 BSV in 20 days after the exploit was fixed.

In 1888, German philosopher Friedrich Nietzsche first stated, “...what doesn't kill me, makes me stronger.”

We would like to give a massive thanks to the Bitcoin Association who used Chainalysis to provide us with thorough supplementary evidence against the attackers.