The decentralized exchange protocol 0x has been suspended by the core developing team after discovering a vulnerability in its code.
According to a blog post, the 0x project was made aware of a potential exploit in its Exchange smart contract by a third-party security researcher – Sam Sun. The affected contract is responsible for filling and canceling orders, as well as executing transactions and registering new contracts.
0x Trading Halted to Patch the Exploit
The vulnerability would have allowed attackers to fill orders with invalid signatures. The 0x team has immediately halted trading on its platform and released an updated version of the affected smart contract. According to 0x co-founder, Will Warren, no user funds have been affected:
This vulnerability would allow an attacker to fill certain orders with invalid signatures. This vulnerability does not affect the ZRX token contract; your digital assets are safe.
Warren added that after verifying the vulnerability the team decided to shut down the v2.0 Exchange and all AssetProxy contracts to prevent attackers from being able to exploit the vulnerability.
While the vulnerability hasn’t been exploited as far as the team is aware, the functionality of the decentralized exchange has been hampered. Projects that are intertwined with the 0x protocol have to update their code as well, to point to these updated contracts.
Warren indicated that the 0x team will issue a post-mortem once it is certain that no other smart contracts are at risk. Furthermore, 0x will continue offering generous bug bounties to white hat hackers that help identify vulnerabilities.
Decentralized Protocols Still Centralized
The project’s team is also looking to discuss the issue with the community to make sure all smart contract security practices for 0x protocol are transparent, rigorous, and community-vetted.
The immediate response from the team has helped avert any unpleasant situations for its users, but this particular incident also highlights that decentralized exchange protocols still remain centralized.
Backdoors for decentralized protocols in their smart contracts, either disclosed or hidden, are a double-edged sword. On one hand, it helps prevent failures and exploits with quick fixes, such as in this case. On the other, centralized decision making will see protocols fail the censorship and regulation test. Whether projects will be able to find an elegant solution for this, remains to be seen.
How should decentralized exchange protocols position themselves? Should they sacrifice decentralization or run a higher risk of vulnerability exploitation? Let us know your thoughts in the comments below.