Verify a decision

{"actor":"system:backfill","investigation_id":"b2c2dac1-0c41-4a88-a74f-5688f2c9dd12","kind":"publish","page_slug":"dydx-v3","published_at":"2026-05-28T08:20:38.797Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"dYdX V3","sections":[{"content":"dYdX V3 was a decentralized perpetual futures trading protocol built on Ethereum, leveraging StarkWare's StarkEx zero-knowledge rollup for scalability. It operated as a hybrid system: trade settlements were secured by Ethereum and ZK proofs, but the order book and matching engine ran on centralized servers controlled by dYdX Trading Inc. This architecture meant V3 was only partially decentralized. Users submitted orders via the dYdX HTTP API, processed by a centralized matching server, and the operator was the only entity able to propose blocks. dYdX V3 was officially shut down on October 28, 2024, as the company fully transitioned operations to the dYdX Chain (V4) on Cosmos.","heading":"Overview","severity":"low","sources":[{"credibility":2,"name":"dYdX V3 Sunset – DYdX V3 Sunset: Trading, Oracle Updates, And Funding To Stop On October 28","type":"news_article","url":"https://bitcoinworld.co.in/dydx-v3-sunset/"},{"credibility":2,"name":"dYdX trading to phase out v3 platform in favor of 'Unlimited' upgrade – Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/dydx-trading-to-phase-out-v3-platform/"}]},{"content":"In November 2023, dYdX V3 suffered a targeted attack that drained more than $9 million from its insurance fund, roughly 40% of total V3 insurance reserves. The attacker employed a coordinated leverage-cycling strategy across two phases: first targeting SUSHI (October 29 – November 3, 2023) and then YFI (November 1–18, 2023). Using over 132 linked wallet addresses traceable to a single funding source, the attacker deposited approximately $16 million total, built large leveraged long positions on dYdX V3, then aggressively purchased spot tokens on external venues to inflate prices. Because unrealized profits counted as account equity in dYdX V3's margin calculations, the attacker was able to withdraw those unrealized gains and redeploy them through new wallets to expand positions further. SUSHI surged approximately 180% (from $0.67 to $1.20) and YFI surged approximately 215% (from around $6,500 to over $14,000), with YFI open interest on V3 spiking from $0.8 million to $67 million. The YFI price subsequently crashed approximately 30% within one hour on November 18, 2023, triggering forced liquidations. The insurance fund absorbed the shortfall. The attacker withdrew approximately $27 million in total, for a net gain of roughly $11 million. dYdX founder Antonio Juliano confirmed the attack was targeted and involved the FBI. A forensic investigation uncovered the alleged identity of the attacker; dYdX stated it was in contact with the individual and assessing all legal remedies. The post-mortem was published by dYdX on its official blog.","heading":"November 2023 Insurance Fund Drain — Market Manipulation Attack","severity":"critical","sources":[{"credibility":1,"name":"Post Mortem on SUSHI and YFI Incident – dYdX Official Blog","type":"official","url":"https://dydx.exchange/blog/sushi-yfi-incident"},{"credibility":1,"name":"dYdX founder blames v3 central components for 'targeted attack,' involves FBI – CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/d-yd-x-founder-blames-v3-central-components-targeted-attack-involves-fbi"},{"credibility":2,"name":"Dydx V3 hit by 'targeted attack,' linked to YFI price manipulation – Blockworks","type":"news_article","url":"https://blockworks.co/news/dydx-v3-targeted-attack-yfi-price"},{"credibility":1,"name":"DeFi exchange dYdX publishes post-mortem on $9 million November attack – The Block","type":"news_article","url":"https://www.theblock.co/post/270275/dydx-publishes-post-mortem-9-million-november-attack"},{"credibility":2,"name":"dYdX Hit by $9 Million Insurance Fund Breach Amid Alleged YFI Market Manipulation – Unchained","type":"news_article","url":"https://unchainedcrypto.com/dydx-hit-by-9-million-insurance-fund-breach-amid-alleged-yfi-market-manipulation/"},{"credibility":2,"name":"DYdX In Talks With Perpetrator and Law Enforcement Over Recent Market Manipulation Attack – The Defiant","type":"news_article","url":"https://thedefiant.io/news/defi/dydx-in-talks-with-perpetrator-and-law-enforcement-over-recent-market-manipulation-attack"}]},{"content":"On July 23, 2024, the dYdX V3 web frontend (dydx.exchange) was compromised via a DNS hijacking attack. Attackers gained unauthorized access to the domain registrar account — originally registered at Google Domains but migrated to Squarespace, which allegedly disabled multi-factor authentication during the transition — and redirected visitors to a counterfeit site. The fraudulent site prompted users to approve PERMIT2 transactions designed to drain their most valuable tokens from connected wallets. dYdX confirmed that the underlying V3 smart contracts were not affected and that funds already deposited in V3 remained safe. dYdX resolved the DNS redirect and advised users to clear browser caches before accessing the site. The attack coincided with Bloomberg reports that dYdX Trading Inc. was in talks to sell the V3 software to market makers Wintermute Trading and Selini Capital, with Perella Weinberg Partners advising the process.","heading":"July 2024 DNS Hijacking Attack","severity":"high","sources":[{"credibility":1,"name":"DeFi exchange dYdX v3 website hacked in DNS hijack attack – Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/defi-exchange-dydx-v3-website-hacked-in-dns-hijack-attack/"},{"credibility":1,"name":"DeFi Giant dYdX Says Its v3 Platform Is Compromised – CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/07/23/defi-giant-dydx-says-its-v3-platform-is-compromised-just-as-its-reportedly-up-for-sale"},{"credibility":1,"name":"dYdX v3 compromised in an apparent DNS attack – CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/dydx-v3-compromised-apparent-dns-attack"},{"credibility":2,"name":"dYdX's website compromised in latest DNS attack targeting DeFi protocols – DL News","type":"news_article","url":"https://www.dlnews.com/articles/defi/dydx-website-hacked-amid-rumour-of-planned-sale-of-protocol/"}]},{"content":"dYdX has been the subject of at least two confirmed software supply chain attacks. In September 2022, a dYdX staff member's npm account was hijacked and new versions of the 'solo' and 'perpetual' packages were published containing credential-stealing malware. The malicious packages were used by at least 44 cryptocurrency projects. The threat was detected and disclosed by Mend's Supply Chain Defender within approximately 30 minutes. In January 2026, researchers at Socket discovered that legitimate developer credentials had been used to publish trojanized versions of the npm package @dydxprotocol/v4-client-js (versions 3.4.1, 1.22.1, 1.15.2, 1.0.31) and the PyPI package dydx-v4-client (version 1.1.5post1). The malicious payloads included a cryptocurrency wallet stealer targeting seed phrases and a Python-based Remote Access Trojan (RAT) beaconing to a command-and-control server registered approximately three weeks before the attack. The attacker used 100-iteration obfuscation in the PyPI variant. dYdX acknowledged the January 2026 incident and advised affected developers to isolate machines, move funds from clean systems, and rotate all API credentials. Note: the January 2026 packages were associated with V4 client libraries, but reflect persistent supply chain risks across the dYdX ecosystem.","heading":"Software Supply Chain Attacks (2022 and 2026)","severity":"high","sources":[{"credibility":2,"name":"Popular Cryptocurrency Exchange Dydx Has Its NPM Acct Hacked – Mend.io","type":"news_article","url":"https://www.mend.io/blog/popular-cryptocurrency-exchange-dydx-has-had-its-npm-account-hacked/"},{"credibility":1,"name":"npm packages used by crypto exchanges compromised – Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/npm-packages-used-by-crypto-exchanges-compromised/"},{"credibility":1,"name":"Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware – The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html"},{"credibility":2,"name":"Malicious dYdX Packages Published to npm and PyPI – Socket","type":"research","url":"https://socket.dev/blog/malicious-dydx-packages-published-to-npm-and-pypi"}]},{"content":"dYdX V3 operated as a hybrid system that relied significantly on centralized infrastructure controlled by dYdX Trading Inc. The order book and matching engine were off-chain, run on centralized servers. The operator was the sole entity capable of proposing blocks. L2Beat's review of V3 noted that a live and trustworthy operator was vital to system health, and that MEV could be extracted if the operator were to exploit their centralized position by frontrunning user transactions. dYdX founder Antonio Juliano acknowledged in the aftermath of the November 2023 attack that centralized V3 components were a contributing factor. The migration to V4 on Cosmos was explicitly motivated by the need to decentralize the order book and matching engine.","heading":"Centralization Risks and Architecture Concerns","severity":"medium","sources":[{"credibility":2,"name":"dYdX v3 – L2Beat Risk Assessment","type":"research","url":"https://l2beat.com/scaling/projects/dydx"},{"credibility":1,"name":"dYdX founder blames v3 central components for 'targeted attack,' involves FBI – CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/d-yd-x-founder-blames-v3-central-components-targeted-attack-involves-fbi"}]},{"content":"dYdX Trading Inc. experienced significant leadership changes in 2024. Founder Antonio Juliano stepped down as CEO in May 2024, with Ivo Crnkovic-Rubsamen, the former chief strategy officer, taking over. Juliano returned as CEO in October 2024. Concurrent with his return and the V3 shutdown, Juliano announced a 35% reduction in the company's core workforce, citing tough competition and declining market position. dYdX's Total Value Locked dropped from over $500 million in March 2024 to approximately $287 million by October 2024, while competitor Hyperliquid's TVL reached an all-time high exceeding $870 million during the same period.","heading":"Leadership Instability and Workforce Reduction","severity":"medium","sources":[{"credibility":1,"name":"DYdX CEO Juliano Fires 35% of Workforce and Promises Pivot – CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/10/29/dydx-ceo-juliano-fires-35-of-workforce-and-promises-pivot"},{"credibility":1,"name":"Founder of dYdX steps down as CEO of firm behind decentralized exchange – The Block","type":"news_article","url":"https://www.theblock.co/post/294067/founder-of-dydx-steps-down-as-ceo-of-firm-behind-decentralized-exchange"},{"credibility":2,"name":"dYdX Lays Off 35% of Core Staff Amidst Plummeting TVL – BeInCrypto","type":"news_article","url":"https://beincrypto.com/dydx-lays-off-core-team/"}]},{"content":"In July 2024, Bloomberg reported that dYdX Trading Inc. was in negotiations to sell the V3 derivatives software to institutional market makers Wintermute Trading and Selini Capital. Perella Weinberg Partners was reported to be advising the process. dYdX stated it was exploring strategic alternatives related to the V3 technology, clarifying that this would not include the Ethereum smart contracts or other technology governed by the dYdX token. The negotiations were reported contemporaneously with the DNS hijacking incident of July 23, 2024. As of the V3 sunset on October 28, 2024, no completed acquisition had been publicly confirmed.","heading":"V3 Software Sale Negotiations","severity":"low","sources":[{"credibility":1,"name":"Firm behind DeFi platform dYdX in talks of selling the dYdX v3 software – The Block","type":"news_article","url":"https://www.theblock.co/post/307005/firm-behind-defi-platform-dydx-in-talks-of-selling-the-dydx-v3-software-report"},{"credibility":1,"name":"dYdX explores sale of derivatives trading arm – CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/dydx-explores-sale-derivatives-trading-arm"},{"credibility":1,"name":"DeFi Exchange dYdX in Talks to Sell Derivatives Trading Platform – BNN Bloomberg","type":"news_article","url":"https://www.bnnbloomberg.ca/business/company-news/2024/07/23/defi-exchange-dydx-in-talks-to-sell-derivatives-trading-platform/"}]}],"sources_used":[{"credibility":1,"name":"Post Mortem on SUSHI and YFI Incident – dYdX Official Blog","type":"official","url":"https://dydx.exchange/blog/sushi-yfi-incident"},{"credibility":1,"name":"dYdX founder blames v3 central components for 'targeted attack,' involves FBI – CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/d-yd-x-founder-blames-v3-central-components-targeted-attack-involves-fbi"},{"credibility":1,"name":"DeFi exchange dYdX publishes post-mortem on $9 million November attack – The Block","type":"news_article","url":"https://www.theblock.co/post/270275/dydx-publishes-post-mortem-9-million-november-attack"},{"credibility":2,"name":"Dydx V3 hit by 'targeted attack,' linked to YFI price manipulation – Blockworks","type":"news_article","url":"https://blockworks.co/news/dydx-v3-targeted-attack-yfi-price"},{"credibility":1,"name":"DeFi exchange dYdX v3 website hacked in DNS hijack attack – Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/defi-exchange-dydx-v3-website-hacked-in-dns-hijack-attack/"},{"credibility":1,"name":"DeFi Giant dYdX Says Its v3 Platform Is Compromised – CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/07/23/defi-giant-dydx-says-its-v3-platform-is-compromised-just-as-its-reportedly-up-for-sale"},{"credibility":1,"name":"Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware – The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html"},{"credibility":2,"name":"Malicious dYdX Packages Published to npm and PyPI – Socket","type":"research","url":"https://socket.dev/blog/malicious-dydx-packages-published-to-npm-and-pypi"},{"credibility":1,"name":"npm packages used by crypto exchanges compromised – Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/npm-packages-used-by-crypto-exchanges-compromised/"},{"credibility":1,"name":"DYdX CEO Juliano Fires 35% of Workforce and Promises Pivot – CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/10/29/dydx-ceo-juliano-fires-35-of-workforce-and-promises-pivot"},{"credibility":1,"name":"Founder of dYdX steps down as CEO – The Block","type":"news_article","url":"https://www.theblock.co/post/294067/founder-of-dydx-steps-down-as-ceo-of-firm-behind-decentralized-exchange"},{"credibility":1,"name":"Firm behind DeFi platform dYdX in talks of selling the dYdX v3 software – The Block","type":"news_article","url":"https://www.theblock.co/post/307005/firm-behind-defi-platform-dydx-in-talks-of-selling-the-dydx-v3-software-report"},{"credibility":2,"name":"dYdX v3 – L2Beat","type":"research","url":"https://l2beat.com/scaling/projects/dydx"},{"credibility":2,"name":"dYdX Trading to Shut Down v3 on October 28, 2024 – Live Bitcoin News","type":"news_article","url":"https://www.livebitcoinnews.com/dydx-trading-to-shut-down-v3-on-october-28-2024/"},{"credibility":1,"name":"DeFi Exchange dYdX in Talks to Sell Derivatives Trading Platform – BNN Bloomberg","type":"news_article","url":"https://www.bnnbloomberg.ca/business/company-news/2024/07/23/defi-exchange-dydx-in-talks-to-sell-derivatives-trading-platform/"},{"credibility":2,"name":"dYdX Hit by $9 Million Insurance Fund Breach Amid Alleged YFI Market Manipulation – Unchained","type":"news_article","url":"https://unchainedcrypto.com/dydx-hit-by-9-million-insurance-fund-breach-amid-alleged-yfi-market-manipulation/"},{"credibility":2,"name":"DYdX In Talks With Perpetrator and Law Enforcement – The Defiant","type":"news_article","url":"https://thedefiant.io/news/defi/dydx-in-talks-with-perpetrator-and-law-enforcement-over-recent-market-manipulation-attack"},{"credibility":2,"name":"Popular Cryptocurrency Exchange Dydx Has Its NPM Acct Hacked – Mend.io","type":"news_article","url":"https://www.mend.io/blog/popular-cryptocurrency-exchange-dydx-has-had-its-npm-account-hacked/"}],"summary":"dYdX V3 was a decentralized perpetual futures exchange built on Ethereum using StarkWare's StarkEx Layer-2 technology, operated by dYdX Trading Inc. The platform suffered a $9 million insurance fund drain in November 2023 due to an alleged coordinated market manipulation attack targeting YFI and SUSHI markets, a DNS hijacking attack in July 2024, and a software supply chain compromise in September 2022. The V3 product was formally sunset on October 28, 2024, with trading migrated to the dYdX Chain (V4) on Cosmos.","timeline":[{"date":"2022-09-23","event":"dYdX staff member's npm account hijacked; malicious versions of 'solo' and 'perpetual' packages published with credential-stealing code affecting at least 44 crypto projects.","source":"Bleeping Computer / Mend","source_url":"https://www.bleepingcomputer.com/news/security/npm-packages-used-by-crypto-exchanges-compromised/"},{"date":"2023-10-29","event":"First phase of the market manipulation attack begins on dYdX V3; attacker uses 132+ linked wallet addresses to build leveraged SUSHI long positions while purchasing SUSHI spot to inflate the price approximately 180%.","source":"dYdX Official Blog","source_url":"https://dydx.exchange/blog/sushi-yfi-incident"},{"date":"2023-11-09","event":"Second phase of the attack targets YFI on dYdX V3; YFI open interest spikes from $0.8 million to $67 million; YFI price rises approximately 215% from ~$6,500 to over $14,000 by November 17.","source":"dYdX Official Blog","source_url":"https://dydx.exchange/blog/sushi-yfi-incident"},{"date":"2023-11-18","event":"YFI price crashes approximately 30% within one hour; forced liquidations trigger a $9 million draw on the dYdX V3 insurance fund (~40% of total V3 insurance reserves); attacker withdraws approximately $27 million total.","source":"CoinTelegraph / The Block","source_url":"https://cointelegraph.com/news/founder-dydx-targeted-attack-insurance-use"},{"date":"2023-11-19","event":"dYdX founder Antonio Juliano publicly attributes the $9M insurance loss to a targeted attack; FBI involvement confirmed; margin requirements raised to 100% for affected markets.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/d-yd-x-founder-blames-v3-central-components-targeted-attack-involves-fbi"},{"date":"2024-05-13","event":"Antonio Juliano steps down as CEO of dYdX Trading Inc.; Ivo Crnkovic-Rubsamen appointed CEO.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2024/05/13/dydx-founder-antonio-juliano-to-step-down-as-ceo-of-the-decentralized-exchange-ivo-crnkovic-rubsamen-takes-over"},{"date":"2024-07-23","event":"dYdX V3 web frontend compromised via DNS hijacking through Squarespace registrar; counterfeit site deploys PERMIT2 wallet drainer; smart contracts unaffected; dYdX resolves DNS redirect same day.","source":"Bleeping Computer / CoinDesk","source_url":"https://www.bleepingcomputer.com/news/security/defi-exchange-dydx-v3-website-hacked-in-dns-hijack-attack/"},{"date":"2024-10-10","event":"Antonio Juliano returns as CEO of dYdX Trading Inc.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2024/10/29/dydx-ceo-juliano-fires-35-of-workforce-and-promises-pivot"},{"date":"2024-10-28","event":"dYdX V3 trading, oracle price updates, and funding payments cease at 12:05 PM UTC; V3 officially sunset; Ethereum smart contract set to frozen on October 30.","source":"Live Bitcoin News","source_url":"https://www.livebitcoinnews.com/dydx-trading-to-shut-down-v3-on-october-28-2024/"},{"date":"2024-10-29","event":"dYdX CEO Juliano announces 35% workforce reduction, citing competitive pressures and declining TVL from $500M to $287M; company promises strategic pivot.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2024/10/29/dydx-ceo-juliano-fires-35-of-workforce-and-promises-pivot"},{"date":"2026-01-27","event":"Socket researchers discover malicious versions of dYdX V4 npm and PyPI packages containing wallet stealers and a RAT; dYdX acknowledges the supply chain compromise and urges developers to isolate affected machines.","source":"The Hacker News / Socket","source_url":"https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html"}]},"v":1}