Today (7/12) at approximately 4:30 PM PT, we were made aware of a potential exploit in the 0x v2.0 Exchange contract by a third-party security researcher samczsun. This vulnerability would allow an attacker to fill certain orders with invalid signatures. This vulnerability does not effect the ZRX token contract; your digital assets are safe.
After verifying the vulnerability internally at 0x and out of an abundance of caution, we have used the AssetProxyOwner contract to shut down the v2.0 Exchange and all AssetProxy contracts to prevent this vulnerability from being exploited. The contracts were shut down at approximately 7:45 PM PT. To the best of our knowledge, no one has exploited this vulnerability and no user funds have been lost. We are planning to follow up with a deeper historical analysis of trade logs to verify. Unfortunately, this also means the currently deployed 0x contracts cannot process trades and are unable to be used.
A patched version of the Exchange contract — that we are confident fixes this vulnerability — and new AssetProxy contracts are being deployed to the Ethereum mainnet and we expect them to be ready to use later tonight.
We are doing our best to verify that other smart contracts are not vulnerable to this exploit before disclosing it publicly in a formal post-mortem.
Immediate Next Steps
Teams will need to point to the patched and newly deployed Exchange and AssetProxy contracts as well as clear their orderbooks of outstanding orders. Users will need to reset their allowances for the new 0x AssetProxy contracts. This post will be updated with the new addresses post-deployment.
On behalf of the 0x core team, I sincerely apologize. Since the beginning, we’ve set an extremely high bar for code quality, test hygiene, and all independent security auditors that we work with. We understand ...
To keep reading, please go to the original article at:
0x Blog - Medium