HYDN Seekers — Position Exchange Vulnerability Report
In July 2022, HYDN Seekers and Position Exchange worked together to remediate a re-entrancy vulnerability which we identified in their Marketplace contract. In this article, we’ll take a deep dive into the found vulnerability and how it was remediated.
What is HYDN Seekers?
As part of HYDN’s ongoing efforts to help make blockchain a safer place for all, the HYDN Seekers team review and assess live dApps and protocols for exploits and help owners remediate them before bad actors can find and act upon them. Our team is reviewing and assessing protocols 24 hours a day, 7 days a week, 365 days a year.
These vulnerability tests are carried out to discover issues before malicious threat actors do. HYDN Seekers then provide this information to protocols and work with their team so that they can remediate issues and protect their customers as soon as possible.
HYDN believes that in carrying out this service we are doing our part to help make blockchain a safe space for both users and protocol owners, as well as ensuring that the HYDN team stays on top of the latest security trends.
What is Position Exchange?
Position Exchange protocol is a DEX and trading platform that operates on the Binance smart chain (BSC) and is powered by a pip order book fully on-chain. It responds to the growing population and demands of a decentralized user base wanting platforms void of regulations, restrictions, bias, intermediaries, and other flaws of centralized exchanges.
With a long-term goal of becoming the first choice for users of decentralized exchanges and trading platforms, Position Exchange combines the benefits of decentralized finance (DeFi) and the functionality of centralized exchanges to give users the best possible experience. The platform starts by offering only on-chain derivatives trading with plans to diversify assets later. It also offers high leverage, low slippage, and low costs on all cryptocurrency assets.
What Vulnerability Did HYDN Seekers Find?
The vulnerability that HYDN Seekers found was related to the Position Exchange Marketplace Contract.
- Proxy: 0x05E5b3CD263C4Cd40CFA74B5e221DbEDE60c632E
- Implementation: 0x2AFfDb44c31f15A8e75bBfaaeac9DCa3c017cce6
The expected behaviour of the POSI Marketplace contract is as follows:
- A user lists an NFT item for sale at a fixed price (defined by the Seller). The NFT item is then transferred from the Seller to the Marketplace contract. Other participants can purchase it (with $POSI or $BNB), payment (from Buyer to Seller) and NFT item (from Seller to Buyer) are then transferred at the purchase time.
- A user lists an NFT item for sale using an auction. The starting price is defined by the Seller at the time of listing and duration is defined by the Seller (with a minimum ensured by the contract). The NFT item is then transferred from the Seller to the Marketplace contract. Other participants can then bid on the NFT and payment is locked into the contract until the end of the auction. If another participant bids higher, the previous bid is refunded when the new bid occurs.
At the end of the auction, if no one bids on the NFT, the Seller can get the NFT back.
Alternatively, at the end of the auction if someone bids, the Seller or the Buyer can call collect to trigger the payment transfer (from the Buyer to the Seller) and the NFT item transfer (from the Seller to the Buyer).
The HYDN Seekers team found a vulnerability within the POSI Marketplace contract which allowed a bad actor to perform a re-entrancy attack by carrying out the following steps:
1 — List an NFT for auction
2 — Bid on the auction
3 — Wait for the minimum duration
4 — Call Collect
Now let’s go deeper into the collect function:
a — First check the auction is not taken
b — Then transfer the NFT
c — Then transfer the payment
d — Mark the auction as taken
To keep it, clear the full function:
The vector of the attack is to perform a Re-Entrancy Attack and call Collect multiple times from the l308 auction.nft.safeTransferFrom(), step b/ This will allow us to take advantage of the payment l315, step c/ And perform it multiple times.
HYDN Seekers Recommendations
This attack is allowed due to multiple contract issues:
- Collect function does not have a nonReentrant modifier
- A lack of validation on the NFT address from the listMarket function
- ERC721 standard will trigger onerc721received hook and then the payment is called. It is safer to do the opposite
- The NFT is transferred, the payment is transferred, and then the auction is flagged as taken. Again, it is safer to do the opposite
Although only the first point (nonReentrant modifier) would stop the attack, in best practice it is still safer to address all of the other points raised above.
With assistance from the HYDN Seekers team to identify the vulnerability Position Exchange successfully remediated this vulnerability before any malicious actors could carry out an attack.
We’d like to take a moment to say thank you to Justin and his team from Position Exchange for being so proactive in protecting their community.
What should I do if I’ve been contacted by HYDN Seekers?
If the HYDN Seekers team find a potential threat or exploit, we will then do the following:
Attempt to contact you via one of these channels
Email — email@example.com
Telegram — @hydnseekers
Twitter — @hydnseekers
*Please note that the HYDN Seekers team will only contact you via these channels and that you should ignore any messages claiming to be HYDN Seekers from any other accounts
First of all, don’t panic! If the team has found a potential exploit we will not share any details with anyone apart from you.
Once you respond to us via either Email, Telegram, or Twitter we will begin working with you to remediate the issue.
If the issue requires urgent action, we will inform you to ensure that funds or assets are not compromised.
Where can I learn more about HYDN and HYDN Seekers?
You can learn more about the work that HYDN and HYDN Seekers do, as well as book a Smart Contract Audit by going to our website.