Tokenlon 4.0 fee incident disclosure

On Feb 26th morning, Tokenlon team received a message from 0x @willwarren89 as follows: The well-known white-hat hacker @Samczsun found that Tokenlon 4.0 has a security vulnerability. This vulnerability has a high-risk level, which will not only affect the security of the transaction fee deposited on the platform, but also will affect the safety of user funds. In response, the Tokenlon team immediately launched defensive actions from these two dimensions.

1, Tokenlon team immediately withdrew a large amount of transaction fee tokens back to the treasury to ensure that there would be no loss of precipitation fees.

2, Tokenlon team immediately sent orders to Tokenlon 4.0 through TAICHI network to prevent attackers , and to prevent attackers from using front-running to construct transactions where the payee is the attacker’s address.

Background

Beside, Tokenlon 4.0 does not have the receiver filed being signed in the order. but has it appended to the user’s signature. This introduces the risk that the attacker can leverage this vulnerability to replace his address with user’s address. Plus, the attacker is UserProxy’s delegator so the attacker can make a trade successfully can get user’s fund.

Impacts

Subsequent Work

We really thanks Sam for his contribution in this finding and notified our team immediately so we can prevent from the fund lost. We will distribute bounty to Sam for 50000 USDT.

At last, we will announce our bug bounty program for white hat and researchers, to reward people who find the bugs in our smart contract.

Timeline

03:51 The Tokenlon team confirmed the risk, and withdrawn most of the fee tokens immediately.

04:40 The Tokenlon team decided and notified our users to gracefully shutdown Tokenlon 4.0 within one week, and set a monitor on 4.0 contract.

Feb 28, 04:00 Confirmed with Sam that the attacker can frontrun the trade to 4.0, and redirect the fund to attacker’s account. TAICHI network was used to send user’s trade via private network.

Mar 4, 07:00 Tokenlon 4.0 was shutdown forever. The Tokenlon team notified users to upgrade their app to use Tokenlon 5.0.

--

--

The 🐉 #DEX We promise 99% of your transactions will go through Built on 0x and Ethereum Aggregating best prices from major #DEXs

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tokenlon DEX

The 🐉 #DEX We promise 99% of your transactions will go through Built on 0x and Ethereum Aggregating best prices from major #DEXs