A broken access control flaw in Exolix’s partner API allowed anyone with a partner JWT to dump complete swap histories from seven integrations, exposing 355,944 transactions (Jan 2025–May 2026) totaling about $39.5M.
Key findings
Key findings
- Vulnerability: Partner JWTs issued via the partner panel grant full read access to GET /api/v2/transactions and are long-lived (5-year expiry), unscoped, and commonly hardcoded in client apps or public repos. No meaningful rate limiting or IP restrictions were in place.
- Data exposed: deposit and withdrawal addresses, on-chain hashes for both legs, amounts, timestamps, rates, swap status, and partner identifiers — everything needed to deanonymize swaps.
- Impact: 355,944 transactions enumerated; 35,848 successful swaps; ~ $39,517,649 USD volume across partners. Privacy coins dominate the volume (Monero is the top source and a top destination).
- How easy: JWTs were discoverable in decompiled Android APKs and public source code; a single curl script paginating GET /api/v2/transactions sufficed to dump entire histories.
- Partners affected (summary): Edge (329,532 txns; $24.95M USD), Exodus Non-US ($6.08M), Monerujo ($4.58M), BTCPay plugins