paint-brush
Your Funds Are Probably Not Safe on IDEXby@ylv
423 reads
423 reads

Your Funds Are Probably Not Safe on IDEX

by Igor YalovoyNovember 21st, 2018
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

IDEX <a href="https://etherscan.io/address/0x2a0c0dbecc7e4d658f48e01e3fa353f44050c208#code" target="_blank">smart contract</a> is present on Etherscan. Let’s dive into it.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coin Mentioned

Mention Thumbnail
featured image - Your Funds Are Probably Not Safe on IDEX
Igor Yalovoy HackerNoon profile picture

After recent news of SEC taking on EtherDelta, one might expect IDEX would be next in the list. We have to ask ourselves — how truly decentralized and safe IDEX is?

IDEX smart contract is present on Etherscan. Let’s dive into it.

The entire smart contract is only 184 lines. Why so small one might ask?

The reason behind this is that IDEX is not full capacity exchange on the blockchain. It doesn’t store its order book on the blockchain, neither it uses smart contract for order matching. That all is delegated to their private servers.

Then their code has to be open-source in case something happens to them, right?

Nope. Their source code is private. In other words, if their website is taken down by hacker/regulators, the entire exchange would be stopped for sure with no easy way to make it operational.

At least I can get my ether/tokens back anytime, right?

Nope. They have lock time on ether/token withdraw called inactivityReleasePeriod. At that moment it is set to 17 days, but it can be increased by admin to roughly 6 months.Proof.

Your funds are locked

You would think. In absolute worst case, I’ll get my funds back in 6 months, right?

Nope. In the worst case, you would get your money almost never. Inactivity period updated on every traded lastActiveTransaction[tradeAddresses[3]] = block.number; line 182. That means if hacker gets IDEX and you have at least one open order, the hacker can fill your order with just one token to block your funds for yet another 6 months. Essentially that can last almost forever.

Conclusion

I am disappointed by IDEX on many levels. First of all, it is a gigantic stretch for IDEX to call themselves a decentralized exchange. They could claim to be a decentralized custodian, but even here they failed with implementing locking properly as it allows to lock user funds somewhere between 6 months and many years. They are vulnerable on both levels blockchain and private servers. Whatever gets hacked exchange would halt. And even worse if the smart contract is hacked, then users funds can be locked. It is especially upsetting taking into account an amazing smart contract developed by EtherDelta.

TL;DR

  • IDEX is not decentralized exchange at all.
  • IDEX is the decentralized custodian of ether/tokens, but due to poor smart contract implementation funds can be locked for minimum 6 months up to many years.

If this post was helpful, please click the clap 👏button below a few times to show your support! ⬇⬇

Social

Read More


How to Create and Deploy Your Own EOS Token_We are going to figure out what is EOS token and how you can create and deploy one yourself._hackernoon.com


How Much Does It Cost to Run DApp in 2018_You think your AWS or Digital Ocean bill for your website is killing you?_hackernoon.com

Originally published at ylv.io on November 21, 2018.