Cryptocurrency exchange OKX and blockchain security firm CertiK have disclosed a critical vulnerability in OKX’s iOS wallet, triggering immediate calls for users to update their apps.

The Dec. 19 announcement has sparked controversy over the timing of the disclosure, as concerns rise about the potential compromise of user data and crypto assets.

CertiK posted to Twitter/X:

“Attention! We urge users of OKX wallets to update their iOS app to the latest version immediately. Earlier this month, we identified and reported a critical Remote Code Execution (RCE) vulnerability in the OKX iOS App, leading to potential compromise of sensitive data and crypto assets.“

In a separate announcement, OKX confirmed that it had deployed an update that resolved the issue. It asserted that the bug had not affected customer funds.

The issue appears unrelated to an earlier attack on OKX’s decentralized exchange (DEX) aggregator, which led to $2.7 million in losses around Dec. 12.

Quick disclosure attracts controversy

CertiK’s quick disclosure was criticized by MetaMask lead Tay Monahan, who noted the risk of disclosing an issue on the day of the fix’s release. She wrote:

“Wait wait wait wait hold up … How long does it take [OKX’s] user base to get majority updated historically? Like, it takes time to roll out updates. Like weeks, months. And yet you’re disclosing there’s a [vulnerability] that could rekt all users remotely THE DAY OF?”

There is additionally a lack of clarity around the date of the patch’s release. Whereas CertiK said that the relevant update was deployed in an update today (which the iOS App Store identifies as version 6.46.0), OKX said that the update was deployed in version 6.45.0 (which was released on Dec. 11). Details in the App Store store do not indicate which update actually contains the fix.

Regardless, the bug has been disclosed no more than eight days after the fix’s release, leaving users who do not immediately update at risk.