idexio / idex-contracts-whistler Goto Github PK
View Code? Open in Web Editor NEWIDEX 2.0 smart contracts
License: GNU Lesser General Public License v3.0
IDEX 2.0 smart contracts
License: GNU Lesser General Public License v3.0
Severity: Low Risk
File(s) affected: contracts/Exchange.sol
, contracts/Governance.sol
, contracts/libraries/AssetRegistry.sol
Description:
contracts/Exchange.sol
: wallet should be checked to be different from 0x0
in loadBalanceInAssetUnitsByAddress
, loadBalanceInPipsBySymbol
, and loadBalanceInAssetUnitsBySymbol
.contracts/Governance.sol
: Functions setCustodian
, initiateExchangeUpgrade
, and initiateGovernanceUpgrade
do not check if the given address parameter is a contract.libraries/AssetRegistry.sol
: Function registerToken
does not check if tokenAddress
is different from 0x0
. Moreover, it does not check if tokenAddress
is a contract address.libraries/AssetRegistry.sol
: Function registerToken
does not check if symbol is different from the empty string.Recommendation: Add checks fixing the enumerated cases. For checking whether an address is a contract, refer to AddressUtils.
Severity: Informational
File(s) affected: contracts/*.sol
, contracts/libraries/*.sol
Description: Every Solidity file specifies in the header a version number of the format pragma solidity (^)0.4.*
. The caret (^
) before the version number implies an unlocked pragma, meaning that the compiler will use the specified version and above, hence the term "unlocked." For consistency and to prevent unexpected behavior in the future, it is recommended to remove the caret to lock the file onto a specific Solidity version.
Recommendation: Except for Migrations.sol
, where the Solidity version is already locked, all other files DO NOT lock the Solidity version. For those, lock the version to 0.6.8
.
Severity: High Risk
File(s) affected: contracts/libraries/AssetUnitConversions.sol
, contracts/libraries/UUID.sol
Description: Integer overflow/underflow occur when an integer hits its bit-size limit. Every integer has a set range; when that range is passed, the value loops back around. A clock is a good analogy: at 11:59, the minute hand goes to 0, not 60, because 59 is the largest possible minute. Integer overflow and underflow may cause many unexpected kinds of behavior and was the core reason for the batchOverflow
attack.
Exploit Scenario:
AssetUnitConversions.sol
(L22): the statement return uint256(quantityInPips) * uint256(10)**(assetDecimals - 8)
can overflow, as there is no upper bound check on the value of assetDecimals
and quantityInPips
.UUID.sol
(L26): the subtraction statement could lead to an integer underflow, especially when called by [unaware] end users via invalidateOrderNonce()
.Recommendation: Use SafeMath
to perform arithmetic operations - if overflow/underflow occurs, transactions safely revert.
Severity: Informational
Description: Since Solidity 0.4.22, some non-ERC20 compliant token contracts that used to work in older versions no longer work now. Since many token contracts implement the transfer
function by either returning true
or reverting the call altogether, some contract developers deemed the return value unnecessary, writing contracts with a transfer
function with signature function transfer(address to, uint amount) public { ... }
. All non-ERC20 compliant contracts like the latter case that used to work before 0.4.22 will fail in IDEX, as it relies on Solidity 0.6.8. More info can be found here.
Recommendation: This is merely an educational point. Nonetheless, we suggest scripting token registration to check whether target tokens contracts implement the ERC20 standard, with matching function signatures. Needless to say this check is restricted to tokens with a known ABI and/or source code (e.g., as published in some blockchain explorers, like Etherscan).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.