Exolix API exposed ~$39.5M of swap history
A security researcher found that Exolix's partner API used unscoped JWT keys with no rate limiting or IP restrictions, which let anyone dump full swap histories. The exposed data covered roughly 355,000 transactions and $39.5M in volume from January 2025 to May 2026: deposit and withdrawal addresses, on-chain hashes, amounts, rates, and timestamps.
For a no-KYC swapper, this links addresses and undoes the privacy users came for. After the disclosure, Exolix called the open access "a feature, not a bug," added WAF rules, and left the underlying flaw in place.
Full penalty applies until resolved.
A standard exchange service with good terms. The request was processed without any errors.