OKX is one of the world’s 10 largest crypto exchanges and processes over $100 billion in spot bitcoin transactions annually. However, despite its size and seven-year operating history, its employees made a rookie mistake that hints at only a basic understanding of the Bitcoin network and managing unspent transaction outputs (UTXO).

The exchange recently repeated an embarrassing mistake that it first made in October 2023: bidding against itself. Specifically, it broadcast UTXO-consolidating bitcoin transactions at average fee rates but then, incredibly, started bidding against its own transactions.

Because of poor safeguards while dealing with the Bitcoin network, OKX wound up paying six-fold the fee rate than it would have otherwise paid had it not bid against itself.

In the end, OKX bid over 350 satoshis per virtual byte of data (s/vb) after a starting bid of just 53 s/vb to consolidate its UTXOs.

What are bitcoin UTXO consolidations?

Bitcoin wallets that receive and send many transactions end up with a lot of UTXOs. These are commonly known as simply ‘bitcoin,’ the unspent coins in a wallet.

Unlike account-based blockchains like Ethereum which automatically consolidate assets into a single balance, each bitcoin UTXO requires bidding a separate transaction fee so that miners include that particular UTXO within a valid block of data.

When transaction fees are high on Bitcoin, large wallets usually allow their UTXO sets to proliferate. After a few months have passed and fee rates have declined, large wallets take the opportunity to consolidate their UTXOs.

Read more: Ordinals break bitcoin: Transaction fees exceed rewards as congestion rises

Rather than paying over 1,250 bitcoins in daily fees to store data blocks on Bitcoin’s ledger on April 19, for example, bitcoin users who waited until today can pay less than 15 for the same amount of data storage.

Patience for UTXO consolidations certainly allows Bitcoiners to save on their transaction fees — unless, of course, they insist on bidding against themselves.

Protos reached out to OKX for comment but had not received a response by press time.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post OKX overpaid massively to consolidate bitcoin UTXOs appeared first on Protos.

A flaw in the two-factor authentication (2FA) security system used by crypto and derivatives exchange OKX has apparently been discovered after two users reported that their accounts had been hacked and their funds drained in a suspected SIM-swapping attack.

The founder of blockchain security firm SlowMist, Yu Xian, reported that the users received SMS risk notifications from Hong Kong before a new API key was created as part of their account authentication process.  

Following up on these reports, security analysts Dilation Effect (DE) claims to have found a flaw in OKX’s authentication system. It said that users are able to switch from 2FA to ‘lower security verification methods,’ like SMS verification, during OKX’s sensitive user operations. 

Such sensitive actions include withdrawals, whitelisting addresses, changing the login password, and disabling 2FA verification. DE says these actions don’t trigger a 24-hour withdrawal ban and that a ban is only triggered when logging into a new device. 

Additionally, if an address is whitelisted, DE claims large amounts of crypto can be withdrawn without the need for additional verification. “This quick analysis reveals that OKX’s security settings lack baseline design. Possibly to enhance user experience, OKX has made significant compromises in security,” DE said. 

Read more: Beware of airdrops: Tether CEO warns of mailing list breach

However, Yu claimed to be unsure if Google’s authenticator is the ‘key point’ in this attack, adding, “There’s no need to panic. If the impact is large, the performance of related events should be more exaggerated. Let’s wait for more disclosures.”

SlowMist claims that they are tracking the wallets of the hacker behind the breach of the two accounts and have asked anyone suffering a similar exploit to contact them.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post OKX SIM-swap leads to discovery of 2FA security flaw appeared first on Protos.