Tokenlon 4.0 fee incident disclosure

Background

Tokenlon 4.0 is based on 0x protocol for decentralized atomic swaps, which provides users with faster speed, better price decentralized token exchange services, and was launched since April in 2019. The main reason for this incident is that signature verification in the contract cannot handle 0 address case correctly. The attacker can register his address as UserProxy’s delegation. Then he can send an order with maker address as the UserProxy and recipient as attacker’s address. Due to the reason that the attacker becomes the validator of the UserProxy, which bypass the signature verification, the order is valid and able to executed. The risk causes the fee tokens deposited on the UserProxy can be transfer to the attacker.

Impacts

After conducting a comprehensive inspection of all contract codes, we do not have any fund lost in the incident, including our team and users.

Subsequent Work

The Tokenlon team notified our users that Tokenlon 4.0 will be gracefully shutdown forever within one week on Mar 4th. Fortunately, Tokenlon 5.0 has been launched since Dec 18th in 2020, and has no vulnerability like 4.0 and most of users has been migrated to v5. We also reported the security vulnerability to our contract audit company.

Timeline

Feb 26, 03:35 (UTC) Sam notifies Tokenlon 4.0 exists vulnerability, which would cause fee tokens on UserProxy being moved.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tokenlon DEX

Tokenlon DEX

The 🐉 #DEX We promise 99% of your transactions will go through Built on 0x and Ethereum Aggregating best prices from major #DEXs