Trail of Bits
Audit Open Original ↗

0x Protocol

Type

Security review

Client

0x Protocol

Date

2019-10

Domain

Blockchain

Effort

10 wks

Section

Ethereum/EVM

Trail of Bits's security review of 0x Protocol (Oct 2019) identified 23 issues: 3 high, 7 medium, 2 low, and 11 informational.

Findings · 23

  1. 1 Fee refunds incentivize transaction centralization through market makers Low
  2. 2 Market makers have a reduced cost for performing front-running attacks Medium
  3. 3 cancelOrdersUpTo can be used to permanently block future orders High
  4. 4 setSignatureValidatorApproval race condition may be exploitable Medium
  5. 5 WETH9 transferFrom oten does not follow spec Informational
  6. 6 Batch processing of transaction execution and order matching may lead to exchange griefing Medium
  7. 7 Zero fee orders are possible if a user performs transactions with a zero gas price Medium
  8. 8 Lack of events for critical operations Informational
  9. 9 Lack of validation in the makerAssetData and takerAssetData leads to unexpected behavior Informational
  10. 10 Transfers with zero fee amounts can log arbitrary data in their feeAssetData Informational
  11. 11 MultiSigWallet does not check contract existence before call Medium
  12. 12 Potential overlow in transactionId allowing arbitrary execution of transactions by a malicious owner Informational
  13. 13 Specification-Code mismatch for AssetProxyOwner timelock period High
  14. 14 Potential overlow in MultiSigWalletWithTimelock when calculating whether the timelock has passed Low
  15. 15 Rounding division errors can accumulate over partial fills Informational
  16. 16 The Cobb–Douglas function is not properly documented and reverts with valid parameters Medium
  17. 17 Unclear documentation on how order filling can fail High
  18. 18 Potential single point of failure for "read-only-mode" and "catastrophic-failure-mode" Informational
  19. 19 ERC20 reverts during certain self-transfer Informational
  20. 20 _assertStakingPoolExists never returns true Informational
  21. 21 Calls to setParams may set invalid values and produce unexpected behavior in the staking contracts Medium
  22. 22 Malicious non-operator maker can decrease staking pool operator share Informational
  23. 23 Non-operator makers can add or remove other makers Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related