Polkadex Orderbook Security Audit: A Case Study

Polkadex is a non-custodial peer-to-peer orderbook-based crypto exchange built on the Substrate blockchain framework. It provides an optimal trading environment with the benefits of both centralization and decentralization. In particular, it combines speed and affordability with self-custody and transparency.

Audit Overview

Polkadex has undergone a comprehensive three-part blockchain protocol audit with Hacken. 

The audit produced high scores for all major components of its systems: 

1. Orderbook v2: 9.1
2. Layer 1 Parachain: 9.6
3. Polkadex network and THEA Bridge: 9.4

Over the course of six months, Hacken’s premier blockchain protocol auditing team, led by a renowned Web3 security expert Luciano Ciattaglia, scrutinized every line of code and communicated with the Polkadex team. This was all in an effort to produce the most objective and accurate assessment possible.

We had the pleasure of working closely with  Hacken to support their audit and determine the robustness of the Polkadex codebase, and its strength against possible security threats.
– Gautham J, Polkadex CEO and Co-Founder 

This case study delves into the technical details of the Polkadex blockchain protocol audit, revealing the insights from our look into the backend of the trustless and secure architecture.

Key Features and Audit Findings

Polkadex is an order book-based exchange, contrasting with Automated Market Maker (AMM) models used by DEXs like Uniswap and PancakeSwap. It integrates centralized exchange-like features within a peer-to-peer trading framework. Advantages include interoperability, limit and market orders, high-frequency trading, and trading bot support.

Unlike many DEXs struggling with blockchain limitations, Polkadex benefits from the customizability of the Substrate framework and a parachain on Polkadot, enabling the current offering of price-efficient, trustless trading pairs of Polkadot ecosystem assets at CEX-like speeds and zero network or trading fees, resolving issues like slippage and high network fees (due to congestion) common in Ethereum-based DEXs.  Polkadex’s THEA interoperability layer enables future connections with other layer 1 chains like Ethereum, as well as asset support for the connected chain’s tokens.

Let’s now explore the audit findings that highlight Polkadex’s technical and security features.

Decentralized Orderbook

Central to Polkadex is Orderbook v2, a decentralized layer 2 exchange that enables rapid transactions. It incorporates AWS infrastructure, OCEX pallet for fund security, a precise calculation Engine, State Change Handler for data coordination, Orderbook Worker for client-side logic, and Lambda functions for blockchain interaction.

In our audit, we delved into the intricacies of Orderbook v2, scrutinizing the next iteration of trading logic that powers the Pokedex ecosystem. This assessment included an in-depth review of the updated orderbook mechanisms, the layer 2 Trusted Execution Environment (TEE), and the robust AWS infrastructure that underpins data exchange and user registration processes. 

We found a high-severity SQL injection vulnerability in the candlestick/ticker lambdas and the state-change timestream client. We recommended using prepared statements, input value validation against allowed patterns, and using domain-specific types over strings.

The Polkadex team quickly fixed the identified vulnerabilities in the Orderbook v2, achieving an impressive score of 9.1 with no critical issues found.

For a detailed understanding of all audit findings and resolutions in the Orderbook v2, dive into our complete audit report.

Substrate Framework

Focusing on the Layer 1 parachain, this audit segment examined Polkadex’s integration with the Polkadot network, particularly its use of Cross-Chain Message Passing (XCMP) and Cross-Consensus Messaging (XCM).

There were 1 critical, 2 high, 5 medium, and 3 low severity vulnerabilities, totaling 11 issues identified, all of which were fixed. This led to an impressive score of 9.6. 

An identified critical vulnerability involved the xcm-helper pallet’s withdraw_asset extrinsic, which could lead to DoS attacks due to nonce dependency issues. The recommended solution involved account-specific nonce management and enhanced signature verification, effectively mitigating the risk of nonce mismatches and DoS attacks.

Access the full audit report for a comprehensive insight into the Substrate Framework’s audit results.

THEA Bridge Technology

This audit stage pivoted its focus to the THEA Bridge technology and the general Layer 1 infrastructure of Polkadex, encompassing the OCEX pallet foundational for fund security, the core Engine, and the various Lambda functions that maintain the platform’s operational integrity.

We found 1 high, 2 medium, and 1 low severity vulnerabilities. All issues were resolved, resulting in a total score for this system of 9.4.

A high-severity vulnerability was discovered in the pallet-ocex-lmp pallet, where an error during the insert process into the FeesCollected storage could crash nodes. The issue caused by an unchecked conversion from an unlimited vector to a BoundedVec was addressed by introducing validation checks prior to conversion, ensuring the robustness of the blockchain against malformed inputs and DoS attacks.

To explore each issue and its fix in the Thea Bridge Technology audit, see our complete audit report.

Conclusions

During the comprehensive audit of Polkadex, our blockchain protocol audit team performed the following reviews and tests:

• Substrate Fork Review: Evaluation of all code changes and updates since the initial cloning from Substrate to ensure security and currency.
• Cryptography and Keys: Examination of cryptography libraries, key generation processes, keystore storage, and asymmetric signing and verification mechanisms.
• Substrate Client and Parachain Configuration Review: Scrutiny of the Substrate client configuration and parachain setup, including chain specifications.
• Consensus Mechanism Review: A thorough review of the consensus process for robustness and resilience.
• Substrate FRAME Pallets and Runtime Implementation: Analysis of Substrate FRAME pallets usage and the overall runtime implementation, focusing on security against standard attacks.
• Pallet Reviews: Focused reviews of the xcm-handler and thea-council pallets.
• RPC Implementation Review: Evaluation of RPC implementation for vulnerabilities.
• Code Implementation Assessment: Assessment of code quality, static code analysis, test coverage, and benchmarking.
• Attack Scenario Analysis: Rigorous analysis of various attack scenarios, including gas, race conditions, stack attacks, DoS, state implosion, and access control bypass.
• Protocol and Node Testing: Conducting environment setup for end-to-end synchronization tests, consensus tests, and transaction tests.
• Runtime and Fuzz Tests: Execution of fuzz tests to check runtime vulnerabilities.

The high scores from such a reputed auditor are evidence of our commitment to maintaining the highest standards of security and technical proficiency across Polkadex products.
– Pavan Kanteti, Product Manager at Polkadex

This meticulous approach highlighted not only Polkadex’s dedication to maintaining high security standards but also its position as a unique orderbook-based DEX offering centralized exchange features, such as high-frequency trading, market orders, and zero fees. 

This audit rigorously assessed the robustness, security, and technical proficiency of Polkadex’s systems. All these components scored impressively high: 

• Orderbook v2 with 9.1
• Layer 1 Parachain with 9.6
• Polkadex network and Thea Bridge with 9.4

Notably, in all three audit stages, Polkadex systems got 10 out of 10 for Security Level.

Our blockchain protocol audit with Polkadex has underscored their dedication to enhancing code quality, architecture, and security. The notable improvements they’ve made across these domains are reflected in the high audit scores, showcasing a fortified approach to safeguarding crypto assets and providing secure decentralized trading.
– Luciano Ciattaglia, Director of Services at Hacken

All in all, Polkadex stands out in the DEX landscape with its blend of centralized-like features and direct, peer-to-peer trading facilitated by the advanced capabilities of the Polkadot network, as well as secure implementation.