Using OKX's security framework as a case study, untangle the two main threads of Web3 security
TechFlow Selected TechFlow Selected
Using OKX's security framework as a case study, untangle the two main threads of Web3 security
This article will take OKX, which prioritizes safety as the first principle in product design, as a case study to systematically analyze the security architectures of the OKX Web3 wallet and OKX CEX.
Navigating Web3 tides with focused insightsTalking about security inevitably involves its antonym: risk.
Recent security incidents—including the hacks of Mixin and CoinEx, as well as the attack on HTX's hot wallet—have once again drawn investor attention to industry security issues.
According to PeckShield statistics, as of September 25, the top ten largest hacking incidents—including Mixin (loss of $200 million), Euler Labs (loss of $197 million, later returned by hacker), Vyper/Curve (loss of $73.6 million, with $52.3 million returned), CoinEx (loss of $70 million), Atomic Wallet (loss of $65 million), Stake (loss of $41 million), CoinsPaid (loss of $37.7 million), Poly Network (loss of $26 million), low-carb-crusader (loss of $25 million), and phishing attacks targeting whales (loss of $24 million)—resulted in total losses of no less than $600 million.
In the dark forest of the crypto world, risks such as hacking and phishing scams are ever-present.
This article takes OKX—a company that places security first in product design—as a case study, systematically breaking down the security architecture of OKX Web3 Wallet and OKX CEX, aiming to uncover the fundamental truths behind security in the Web3 world through an examination of the team’s actions, thinking, and philosophy.
Regarding wallet security, identifying, labeling, and real-time interception of risks are key
According to CertiK’s Q2 2023 Web3.0 Industry Security Report, CertiK identified 212 security incidents during the quarter, with hackers and malicious actors extracting tokens worth $310 million from the Web3.0 ecosystem. This underscores the severity of on-chain asset security.
Take Ethereum’s EOA accounts, commonly used by individuals. Under normal circumstances, assets can only be transferred if private keys are lost, if the approve function authorizes a malicious contract, or if the permit feature is used to sign a message containing malicious transfer instructions.
Private key loss typically stems from user inexperience—such as misplacing recovery phrases, which often occurs among new users—or actively entering private keys or seed phrases on phishing websites when claiming airdrops. Both scenarios are common. There are also cases where users download malicious wallets or use devices infected with malware, allowing hackers to take control. However, provided users download software from official sources, keep their systems updated, and possess basic cybersecurity awareness, such infections are increasingly rare.
To address private key loss due to user inexperience, OKX Web3 Wallet has introduced an MPC (Multi-Party Computation) keyless wallet to help users mitigate such risks.
MPC, or Multi-Party Computation, can be simply understood as a multi-signature wallet. OKX Web3 MPC Wallet splits the private key into three fragments using MPC technology, stored separately by OKX exchange, the user’s device, and cloud backup (iCloud/Google Drive). When creating a wallet, users need only log into the OKX app, select the keyless wallet option, and enable cloud backup to store the third fragment—no manual management of seed phrases required. Transactions require two out of three fragments to authorize, ensuring private keys never appear in plaintext during any transaction. This approach significantly reduces the risk of asset theft due to private key exposure. Additionally, OKX has implemented an emergency escape feature: in urgent situations, users can enter their cloud backup password at the emergency exit to quickly retrieve their private key and transfer assets—secure and convenient.
Security issues related to seed phrases due to user inexperience mainly affect beginners. For more experienced users, risks often arise during approve authorizations and permit signatures—such as the aforementioned phishing threats.
The approve function is critical in on-chain interactions, allowing contracts to call the transferFrom function to move assets according to predefined rules. Once approval is granted to a malicious contract, significant asset theft becomes highly likely.
Signature risks primarily stem from the permit extension of the ERC20 standard, which allows users to complete authorization via message signing, sending the signature to another wallet to execute asset transfers. This is common in DEX limit orders—for example, 1inch’s Fusion feature lets users sign order messages, enabling 1inch to handle their assets without gas fees, then deliver the desired tokens. If a malicious site tricks users into signing fraudulent messages, the outcome is often regrettable.
Therefore, risk monitoring is crucial.
OKX Web3 has developed a centralized authorization management page where users can view and directly revoke their protocol and token authorizations, mitigating unnecessary risks. For malicious contracts, OKX Web3 Wallet integrates the KYT Tianyan system for risk detection. The system currently contains over 300 million cryptocurrency addresses and effectively detects and automatically alerts users when they interact with malicious addresses or suspicious transactions (such as honeypot scams or phishing).
Neil, head of security architecture at OKX Web3, said the team will implement tiered address labeling: whitelist addresses receive standard notifications, graylist addresses trigger regular risk warnings, and blacklist addresses will be blocked outright. Moving forward, the team will continue strengthening preventive measures, risk cleanup, safety nets, and user education to reinforce the security framework, steadfastly serving as the user’s security guardian.
Beyond hidden risks in interaction environments, the wallet’s own security is equally vital. Currently, OKX Web3 Wallet has fully open-sourced its multi-chain signing SDK, core algorithms of its MPC keyless wallet, AA wallet, and BRC20-S. Open-sourcing code enhances transparency and reliability, invites peer review, fosters developer collaboration, and drives progress in Web3 technology.
Of course, beyond on-chain risks, systemic risks stemming from collapses like FTX are even more concerning.
Regarding CEX security, the focus lies in self-regulation and building a robust risk control system
From Fcoin’s collapse to FTX’s implosion, many CEX platforms have fallen over the past few years. The root causes often lie in poor internal management amid rapid growth and a mismatch with corporate responsibility—though more fundamentally, it comes down to human nature.
Thus, self-restraint and self-regulation have become essential for CEXs.
Since late last year, leading industry players have adopted self-regulatory models, enhancing fund transparency through mechanisms like Proof of Reserves (POR), publicly disclosing user fund data on-chain.
According to official data, OKX has published its Proof of Reserves for 11 consecutive months, with reserve ratios exceeding 100% across 22 audited cryptocurrencies—BTC at 102%, ETH at 103%, and USDT at 102%, totaling $11.2 billion. It is one of the few major crypto exchanges to publish monthly POR reports. Insiders say OKX aims to elevate POR transparency to traditional financial audit standards, continuously leading the industry in security and transparency. The POR system has been upgraded with innovative technologies like zk-STARK, allowing users to independently verify OKX’s solvency at any time. To date, hundreds of thousands of users have accessed the POR page and completed their own verifications.
Discussions on CEX security always circle back to human weaknesses—but these aren’t easily overcome in the short term. For ordinary users, the more pressing concern is how to ensure asset safety when extreme events occur. For platforms, the core competitiveness lies in helping users remain unscathed during crises.
During the Luna collapse, OKX’s risk control system immediately activated an automatic redemption mechanism, helping users invested in UST avoid losses; in the 3Commas API data leak incident, OKX was the only partner exchange among many where users suffered zero losses and demonstrated the strongest security safeguards. In facing various challenges, OKX has consistently shown solid resilience.
The key to weathering multiple storms lies in OKX’s proactive simulation of potential risks and its continuous investment in building and iterating its risk control systems. A responsible executive stated: “OKX’s API system features powerful capabilities including Fast API, IP whitelisting, anti-fraud controls, and third-party whitelists—core components of our API risk management framework. Even if hackers obtain API keys, they cannot easily misuse them. While users may not notice these measures daily, they silently play a critical role when it matters most.”
Indeed, security doesn’t need flashy stories. Its essence lies in whether a platform consistently maintains a sense of responsibility. As the risk control lead admitted, OKX’s moral foundation rests on the hope of fostering “tech for good” taking root in Web3.
Returning to the essence of security
As the industry evolves, types of security threats will multiply—especially in today’s market environment, where many hackers are setting their sights on the crypto world. Security guardians face growing challenges. Perhaps only a strong conviction enables OKX to keep moving forward.
By dissecting OKX’s security architecture, we clearly see its methodology and mindset toward Web3 security. The team has clarified the two main trajectories of Web3 security development and built robust defenses along both paths. We have every reason to believe that OKX can fulfill its role as a guardian of the Web3 world in the future.
Although security ultimately comes down to whether human intentions are good or evil, as ordinary users, we struggle to make such distinctions. Our best course is to enhance personal security awareness and choose platforms with greater influence—because the larger the platform, the more it values its reputation, and thus the more likely it is to uphold integrity.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
OKX
