IDEX smart contract is present on Etherscan. Let’s dive into it.
The entire smart contract is only 184 lines. Why so small one might ask?
The reason behind this is that IDEX is not full capacity exchange on the blockchain. It doesn’t store its order book on the blockchain, neither it uses smart contract for order matching. That all is delegated to their private servers.
Then their code has to be open-source in case something happens to them, right?
Nope. Their source code is private. In other words, if their website is taken down by hacker/regulators, the entire exchange would be stopped for sure with no easy way to make it operational.
At least I can get my ether/tokens back anytime, right?
Nope. They have lock time on ether/token withdraw called
inactivityReleasePeriod. At that moment it is set to 17 days, but it can be increased by admin to roughly 6 months.Proof.
You would think. In absolute worst case, I’ll get my funds back in 6 months, right?
Nope. In the worst case, you would get your money almost never. Inactivity period updated on every traded
lastActiveTransaction[tradeAddresses] = block.number; line 182. That means if hacker gets IDEX and you have at least one open order, the hacker can fill your order with just one token to block your funds for yet another 6 months. Essentially that can last almost forever.
I am disappointed by IDEX on many levels. First of all, it is a gigantic stretch for IDEX to call themselves a decentralized exchange. They could claim to be a decentralized custodian, but even here they failed with implementing locking properly as it allows to lock user funds somewhere between 6 months and many years. They are vulnerable on both levels blockchain and private servers. Whatever gets hacked exchange would halt. And even worse if the smart contract is hacked, then users funds can be locked. It is especially upsetting taking into account an amazing smart contract developed by EtherDelta.
Originally published at ylv.io on November 21, 2018.