DDEX, a hybrid decentralized exchange designed to provide liquidity for Ethereum and ERC-20 tokens directly from user wallets, announced today that at 12:54 am back on September 18th, the security researcher samczsun notified the DDEX team of a potential vulnerability on a contract used to beta test margin and lending functionality.
The fix was deployed and verified at 5:50 am on September 18th. No funds were lost.
The DDEX team says that it refrained from releasing any information until now, because it was notified that similar vulnerabilities were found in publicly launched projects with substantial funds at risk.
Neither ddex.io nor hydro relayers are affected by this issue. The potential vulnerability occurs only within an isolated set of contracts deployed for beta testing purposes. Approximately 122 ETH worth of ETH and DAI were at risk.
The exploit worked by altering the DAI price of Uniswap and Eth2dai, the two projects DDEX uses to source DAI liquidity.
In a simulated contract call, samczsun used approximately 25000 of ETH to drastically alter the price of DAI, which allowed borrowing to occur with very little actual collateral, resulting in a profit of approximately 70 ETH.
Samczsun went into detail on the issues presented with the vulnerability in a published article.