In July 2022, HYDN Seekers and Position Exchange worked together to remediate a re-entrancy vulnerability which we identified in their Marketplace contract. In this article, we’ll take a deep dive into the found vulnerability and how it was remediated.
As part of HYDN’s ongoing efforts to help make blockchain a safer place for all, the HYDN Seekers team review and assess live dApps and protocols for exploits and help owners remediate them before bad actors can find and act upon them. Our team is reviewing and assessing protocols 24 hours a day, 7 days a week, 365 days a year.
These vulnerability tests are carried out to discover issues before malicious threat actors do. HYDN Seekers then provide this information to protocols and work with their team so that they can remediate issues and protect their customers as soon as possible.
HYDN believes that in carrying out this service we are doing our part to help make blockchain a safe space for both users and protocol owners, as well as ensuring that the HYDN team stays on top of the latest security trends.
Position Exchange protocol is a DEX and trading platform that operates on the Binance smart chain (BSC) and is powered by a pip order book fully on-chain. It responds to the growing population and demands of a decentralized user base wanting platforms void of regulations, restrictions, bias, intermediaries, and other flaws of centralized exchanges.
With a long-term goal of becoming the first choice for users of decentralized exchanges and trading platforms, Position Exchange combines the benefits of decentralized finance (DeFi) and the functionality of centralized exchanges to give users the best possible experience. The platform starts by offering only on-chain derivatives trading with plans to diversify assets later. It also offers high leverage, low slippage, and low costs on all cryptocurrency assets.
The vulnerability that HYDN Seekers found was related to the Position Exchange Marketplace Contract.
The expected behaviour of the POSI Marketplace contract is as follows:
At the end of the auction, if no one bids on the NFT, the Seller can get the NFT back.
Alternatively, at the end of the auction if someone bids, the Seller or the Buyer can call collect to trigger the payment transfer (from the Buyer to the Seller) and the NFT item transfer (from the Seller to the Buyer).
The HYDN Seekers team found a vulnerability within the POSI Marketplace contract which allowed a bad actor to perform a re-entrancy attack by carrying out the following steps:
1 — List an NFT for auction
2 — Bid on the auction
3 — Wait for the minimum duration
4 — Call Collect
a — First check the auction is not taken
b — Then transfer the NFT
c — Then transfer the payment
d — Mark the auction as taken
To keep it, clear the full function:
The vector of the attack is to perform a Re-Entrancy Attack and call Collect multiple times from the l308 auction.nft.safeTransferFrom(), step b/ This will allow us to take advantage of the payment l315, step c/ And perform it multiple times.
This attack is allowed due to multiple contract issues:
Although only the first point (nonReentrant modifier) would stop the attack, in best practice it is still safer to address all of the other points raised above.
With assistance from the HYDN Seekers team to identify the vulnerability Position Exchange successfully remediated this vulnerability before any malicious actors could carry out an attack.
We’d like to take a moment to say thank you to Justin and his team from Position Exchange for being so proactive in protecting their community.
If the HYDN Seekers team find a potential threat or exploit, we will then do the following:
Attempt to contact you via one of these channels
Email — firstname.lastname@example.org
Telegram — @hydnseekers
Twitter — @hydnseekers
*Please note that the HYDN Seekers team will only contact you via these channels and that you should ignore any messages claiming to be HYDN Seekers from any other accounts
First of all, don’t panic! If the team has found a potential exploit we will not share any details with anyone apart from you.
Once you respond to us via either Email, Telegram, or Twitter we will begin working with you to remediate the issue.
If the issue requires urgent action, we will inform you to ensure that funds or assets are not compromised.