Your Funds Are Probably Not Safe on IDEX

After recent news of SEC taking on EtherDelta, one might expect IDEX would be next in the list. We have to ask ourselves — how truly decentralized and safe IDEX is?

Credits to Aleksey Shmatov

IDEX smart contract is present on Etherscan. Let’s dive into it.

The entire smart contract is only 184 lines. Why so small one might ask?

The reason behind this is that IDEX is not full capacity exchange on the blockchain. It doesn’t store its order book on the blockchain, neither it uses smart contract for order matching. That all is delegated to their private servers.

Then their code has to be open-source in case something happens to them, right?

Nope. Their source code is private. In other words, if their website is taken down by hacker/regulators, the entire exchange would be stopped for sure with no easy way to make it operational.

At least I can get my ether/tokens back anytime, right?

Nope. They have lock time on ether/token withdraw called inactivityReleasePeriod. At that moment it is set to 17 days, but it can be increased by admin to roughly 6 months.Proof.

Your funds are locked

You would think. In absolute worst case, I’ll get my funds back in 6 months, right?

Nope. In the worst case, you would get your money almost never. Inactivity period updated on every traded lastActiveTransaction[tradeAddresses[3]] = block.number; line 182. That means if hacker gets IDEX and you have at least one open order, the hacker can fill your order with just one token to block your funds for yet another 6 months. Essentially that can last almost forever.

Conclusion

I am disappointed by IDEX on many levels. First of all, it is a gigantic stretch for IDEX to call themselves a decentralized exchange. They could claim to be a decentralized custodian, but even here they failed with implementing locking properly as it allows to lock user funds somewhere between 6 months and many years. They are vulnerable on both levels blockchain and private servers. Whatever gets hacked exchange would halt. And even worse if the smart contract is hacked, then users funds can be locked. It is especially upsetting taking into account an amazing smart contract developed by EtherDelta.

TL;DR

  • IDEX is not decentralized exchange at all.
  • IDEX is the decentralized custodian of ether/tokens, but due to poor smart contract implementation funds can be locked for minimum 6 months up to many years.

Originally published at ylv.io on November 21, 2018.

More by Igor Yalovoy

Topics of interest

More Related Stories