The team behind the 0x project has recently suspended to then patch its decentralized exchange protocol over a vulnerability a third-part security researcher, Sam Sun, discovered.
According to a Medium blog post, the 0x project was made aware of a potential exploit in its Exchange contract, which is responsible for filling and cancelling orders, as well as executing transactions and registering new contracts, which could allow attackers to fill orders with invalid signatures.
Will Warren, co-founder and CEO of 0x, wrote in the post:
This vulnerability would allow an attacker to fill certain orders with invalid signatures. This vulnerability does not effect the ZRX token contract; your digital assets are safe.
Warren added that after verifying the vulnerability and “out of an abundance of caution” the team decided to shut down the v2.0 Exchange and all AssetProxy contracts to prevent attackers from being able to exploit the vulnerability.
The post adds that to the best of their knowledge it wasn’t exploited, and no funds have been lost. Deployed 0x contracts, however, aren’t able to process trades. 0x then deployed patched contracts overnight and asked projects to point to these new contracts.
Warren further added that 0x is currently doing its best to verify other smart contracts can’t be exploied by the vulnerability, before the team discloses a form post-mortem. The project’s team is also looking to discus the issue with the community to make sure “all smart contract security practices for 0x protocol are transparent, rigorous, and community-vetted.”
Near the end, he added 0x offers generous bug bounties to white hat hackers that help identify vulnerabilities.
As CryptoGlobe covered 0x’s ZRX token launched on Coinbase Pro in October of last year, making it the first ERC-20 token to be listed on the San Francisco-based cryptocurrency exchange. Late last year decentralized exchange DDEX forked the 0x protocol to better serve its users.