The Phemex Exchange Exploit: A Deep Dive into the $37 Million Hack
On January 23, 2025, Phemex, a well-known cryptocurrency exchange based in Singapore, fell victim to a significant security breach that resulted in the unauthorized withdrawal of approximately $37 million in digital assets. This incident marks one of the largest hacks in the cryptocurrency space this year and raises serious questions about the security protocols employed by centralized exchanges.
Smart Contract Hack Overview
- Attacker Address: 0x5b34…7e22
- Vulnerable Contract: 0x50be…6772
- Attack Transaction: The attack involved over 125 suspicious transactions across multiple blockchain networks, including Ethereum, Binance Smart Chain (BSC), Polygon, Optimism, Base, and Arbitrum.
Overview of the Attack
The breach was first detected by blockchain security firm Cyvers, which flagged suspicious transactions involving Phemex’s hot wallets. Initial reports indicated that around $29 million had been withdrawn; however, further investigations revealed that the total losses exceeded $37 million as attackers exploited vulnerabilities across multiple blockchain networks.The attackers targeted various tokens and stablecoins stored in Phemex’s hot wallets. Notable withdrawals included:
- 1,767,957 USDC
- 1,021,719 CRV
- 744,696 USDT
- 1,879 AAVE
- 110,700 LINK
- 142 billion PEPE
- 1,187,531 FET
The stolen assets were quickly funneled into a single externally owned address (EOA) and converted into Ethereum to obscure their trail and evade detection.
Decoding the Smart Contract Vulnerability
The vulnerability that allowed this hack was primarily due to inadequate access control within Phemex’s hot wallet management system. The specific weaknesses included:
- Weak Access Controls: The attackers exploited flaws in how permissions were managed within the smart contracts governing the hot wallets. This lack of stringent access controls enabled unauthorized withdrawals.
- Cross-Chain Exploitation: The attackers demonstrated sophisticated techniques by executing over 125 suspicious transactions across various networks. This multi-chain approach not only obscured their actions but also complicated recovery efforts.
Despite previous audits that may have deemed Phemex’s security measures sufficient, this incident highlights critical gaps in their infrastructure that need urgent attention.
Mitigation and Best Practices
In light of the recent hack at Phemex, several best practices can be adopted by cryptocurrency exchanges to enhance their security posture:
- Implement Strong Access Controls: Exchanges must enforce rigorous access control measures for all smart contracts and wallet management systems. Role-based access controls and multi-signature wallets for high-value transactions are essential.
- Utilize Cold Wallets: To mitigate risks associated with hot wallets, exchanges should store a majority of their funds in cold wallets. Cold storage is less vulnerable to hacking attempts as it is not connected to the internet.
- Conduct Regular Security Audits: Ongoing audits by third-party security firms can help identify vulnerabilities before they can be exploited. Regular penetration testing should also be part of an exchange’s security strategy.
- User Education: Educating users about potential risks associated with trading on centralized exchanges can help reduce the likelihood of phishing attacks or other social engineering tactics that could compromise accounts.
- Emergency Response Plans: Establishing clear protocols for responding to security breaches can help mitigate damage and facilitate recovery efforts when incidents occur. This includes transparent communication with affected users.
About Securr
Securr is a Web3 security company providing an Advanced Bug Bounty platform & Expert In-house Smart Contract Audits.
🛡 100+ PROJECTS SERVED
💰 $2B+ FUNDS SAVED
🧑💻 15000+ HACKERS
🔗 Website — https://www.securr.tech
To get a free security consultation, feel free to schedule a call 📞
