The 0x project pushed the “emergency switch”, shutting down its own decentralized exchange and sparking an outrage regarding control over presumably decentralized technology.
The 0x decentralized exchange protocol was shut down this Saturday after the discovery of a potential exploit. No funds are missing, and the project re-deployed a new smart contract with the vulnerability patched.
The nature of the potential exploit was based on a feature of the Ethereum Virtual Machine and the way it handled smart contract code, and was discovered by @samczsun. The reason for the exploitable smart contract was possibly code meant to save gas on the Ethereum network. The vulnerability concerned the verification of wallet signatures, potentially allowing an attacker to fill certain orders with an invalid wallet signature.
The vulnerability does not affect the smart contract for the ZRX token itself, and the funds are safe, the 0x team stated.
Will Warren, co-founder of the 0x project, said that the verification vulnerability was not exploited and no funds were lost.
1) After analyzing historical trade logs, we have confirmed that the vulnerability found in the 0x v2.0 Exchange contract was not exploited.
We have patched and re-deployed the entire 0x pipeline from scratch, updated our developer tools and packages, 0x Instant, 0x Launch Kit.
— Will Warren (@willwarren89) July 13, 2019
Unfortunately, the possibility for shutting down a decentralized exchange (DEX) by the decision of its founders has worried the crypto community. Warren himself called the shutdown “a nightmare scenario”.
The behavior of the 0x smart contract also revealed potential flaws in earlier usage of the Solidity programming language. All distributed apps and decentralized exchanges on the Ethereum network rely on the Solidity language, setting some limitations:
To be fair, it was not possible to make a staticcall in Solidity at the time this contract was written. But in general, I agree. A lot has changed in the past year that reduces the need to use much assembly and makes efficiency much less of a concern: https://t.co/lH7LrE4MES
Decentralized exchanges are not foolproof, and in the past, the Bancor protocol has also seen exploits and token theft. Smart contract auditing is still a relatively young field, and potential exploits are sometimes noticed by accident.
The 0x exchange saw its activity immediately drop. Based on DappRadar, the exchange had around 330 users last week, dwindling to just 28 users and zero trading in the days since the exploit.
The 0x (ZRX) market price tanked more than 9% late on Sunday, based on the news of the exploit, but also the general sell-off in altcoins and tokens.