0x Exchange v2.0 contract has been made aware of a potential vulnerability in its Exchange contract that was disclosed by a third party security analyst Sam Sun. The exchange contract comprises of a lot of business logic in the 0x protocol comprising of filling and canceling of orders, execution of transactions, signature validation as well as registration on fresh contracts within the platform.
Will Warren the firm’s CEO and co-founder explained about the vulnerability in a blog:
“This vulnerability would allow an attacker to fill certain orders with invalid signatures. This vulnerability does not affect the ZRX token contract; your digital assets are safe.”
As a precautionary measure, the startup decided to close down the Exchange contract as well as Asset Proxy contracts that are responsible for executing asset transfers within the 0x protocol. The CEO explained that the move was taken to avoid exploitation of the vulnerability by fraudsters. He was quick to note that no one has so far taken advantage of the vulnerability and, as such, no funds have been lost so far. However, due to changes made, the currently deployed 0x contracts cannot process trades and are unable to be used, explained Warren.
According to Warren a team from the firm was quickly assembled to address the vulnerability and was able to patch both Exchange and Asset Proxy contracts overnight and deployed to the Ethereum Mainnet which helped to fix the vulnerability.
Warren said that teams will need to point to the patched and newly deployed Exchange and AssetProxy contracts as well as clear their order books of outstanding orders. Users have also been advised to reset their allowances for the new 0x AssetProxy contracts.
Warren also stated that his firm is also verifying that other smart contracts are not vulnerable to this exploit before disclosing it publicly in a formal post-mortem report.
The CEO was full of praises to Sam Sun for identifying the bug or vulnerability, pointing out that 0x gives generous vulnerability awards to white hat hackers and network members who identify possible vulnerabilities or bugs. Warren said that he will organize a community conversation in the following few days after serious reflection to make sure that 0x protocol smart contract security measures are transparent, rigorous and community-vetted.
The CEO apologized to the 0x community for any inconvenience caused and assured that all the security issues of the platform had been fixed.
Should blockchain and crypto-based firms encourage white hat hackers by offering high bug bounties? Let us know in the comments section.