NASDAQ-powered tokenized trading platform DX.Exchange has released a statement announcing that it has resolved a recently discovered security vulnerability that exposes user authentication tokens to the public.
Following the exchange’s official launch on Monday, a bug has been discovered on the DX.Exchange that leaked sensitive data, including password reset links, Ars Technica reported January 9. While it still remains unclear how many user accounts have been compromised, an undisclosed trader claimed that he was able to amass approximately 100 tokens in as little as 30 minutes by exploiting the platform’s vulnerability.
The digital tokens offered by DX.Exchange represent shares in multiple NASDAQ-traded companies while the platform facilitates digital securities trading by leveraging on NASDAQ’s matching engine and financial data exchange protocol.
While the security vulnerability has so far not resulted in any criminal activity, Ars Technica stated that it was able to accumulate “a large number” of authentication tokens.
According to the exchange’s official statement, the security vulnerability, which it claimed has since been successfully patched up, stemmed from “an authentication token error,” clarifying that it no longer poses any risk to user funds.
As DX.Exchange CEO Daniel Skowronski stated in the company’s blog post:
“We are happy to report that the vulnerability has been successfully patched, and no user funds were compromised … Customer funds were always safe, our multi layer advanced monitoring and defense mechanism was able to avoid any further issue.”
Skowronski went on adding that DX.Exchange also runs a bug bounty program where developers can directly report any potential bugs that might be found on the exchange.