Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Polkadex Orderbook Security Audit: A Case Study

Polkadex Orderbook Security Audit: A Case Study

Share via:

Polkadex is a non-custodial peer-to-peer orderbook-based crypto exchange built on the Substrate blockchain framework. It provides an optimal trading environment with the benefits of both centralization and decentralization. In particular, it combines speed and affordability with self-custody and transparency.

Audit Overview

Polkadex has undergone a comprehensive three-part blockchain protocol audit with Hacken.

The audit produced high scores for all major components of its systems:

Orderbook v2: 9.1
Layer 1 Parachain: 9.6
Polkadex network and THEA Bridge: 9.4

Over the course of six months, Hacken’s premier blockchain protocol auditing team, led by a renowned Web3 security expert Luciano Ciattaglia, scrutinized every line of code and communicated with the Polkadex team. This was all in an effort to produce the most objective and accurate assessment possible.

We had the pleasure of working closely with Hacken to support their audit and determine the robustness of the Polkadex codebase, and its strength against possible security threats.
– Gautham J, Polkadex CEO and Co-Founder

This case study delves into the technical details of the Polkadex blockchain protocol audit, revealing the insights from our look into the backend of the trustless and secure architecture.

Key Features and Audit Findings

Polkadex is an order book-based exchange, contrasting with Automated Market Maker (AMM) models used by DEXs like Uniswap and PancakeSwap. It integrates centralized exchange-like features within a peer-to-peer trading framework. Advantages include interoperability, limit and market orders, high-frequency trading, and trading bot support.

Unlike many DEXs struggling with blockchain limitations, Polkadex benefits from the customizability of the Substrate framework and a parachain on Polkadot, enabling the current offering of price-efficient, trustless trading pairs of Polkadot ecosystem assets at CEX-like speeds and zero network or trading fees, resolving issues like slippage and high network fees (due to congestion) common in Ethereum-based DEXs. Polkadex’s THEA interoperability layer enables future connections with other layer 1 chains like Ethereum, as well as asset support for the connected chain’s tokens.

Let’s now explore the audit findings that highlight Polkadex’s technical and security features.

Decentralized Orderbook

Central to Polkadex is Orderbook v2, a decentralized layer 2 exchange that enables rapid transactions. It incorporates AWS infrastructure, OCEX pallet for fund security, a precise calculation Engine, State Change Handler for data coordination, Orderbook Worker for client-side logic, and Lambda functions for blockchain interaction.

In our audit, we delved into the intricacies of Orderbook v2, scrutinizing the next iteration of trading logic that powers the Pokedex ecosystem. This assessment included an in-depth review of the updated orderbook mechanisms, the layer 2 Trusted Execution Environment (TEE), and the robust AWS infrastructure that underpins data exchange and user registration processes.

We found a high-severity SQL injection vulnerability in the candlestick/ticker lambdas and the state-change timestream client. We recommended using prepared statements, input value validation against allowed patterns, and using domain-specific types over strings.

The Polkadex team quickly fixed the identified vulnerabilities in the Orderbook v2, achieving an impressive score of 9.1 with no critical issues found.

For a detailed understanding of all audit findings and resolutions in the Orderbook v2, dive into our complete audit report.

Substrate Framework

Focusing on the Layer 1 parachain, this audit segment examined Polkadex’s integration with the Polkadot network, particularly its use of Cross-Chain Message Passing (XCMP) and Cross-Consensus Messaging (XCM).

There were 1 critical, 2 high, 5 medium, and 3 low severity vulnerabilities, totaling 11 issues identified, all of which were fixed. This led to an impressive score of 9.6.

An identified critical vulnerability involved the xcm-helper pallet’s withdraw_asset extrinsic, which could lead to DoS attacks due to nonce dependency issues. The recommended solution involved account-specific nonce management and enhanced signature verification, effectively mitigating the risk of nonce mismatches and DoS attacks.

Access the full audit report for a comprehensive insight into the Substrate Framework’s audit results.

THEA Bridge Technology

This audit stage pivoted its focus to the THEA Bridge technology and the general Layer 1 infrastructure of Polkadex, encompassing the OCEX pallet foundational for fund security, the core Engine, and the various Lambda functions that maintain the platform’s operational integrity.

We found 1 high, 2 medium, and 1 low severity vulnerabilities. All issues were resolved, resulting in a total score for this system of 9.4.

A high-severity vulnerability was discovered in the pallet-ocex-lmp pallet, where an error during the insert process into the FeesCollected storage could crash nodes. The issue caused by an unchecked conversion from an unlimited vector to a BoundedVec was addressed by introducing validation checks prior to conversion, ensuring the robustness of the blockchain against malformed inputs and DoS attacks.

To explore each issue and its fix in the Thea Bridge Technology audit, see our complete audit report.

Conclusions

During the comprehensive audit of Polkadex, our blockchain protocol audit team performed the following reviews and tests:

Substrate Fork Review: Evaluation of all code changes and updates since the initial cloning from Substrate to ensure security and currency.
Cryptography and Keys: Examination of cryptography libraries, key generation processes, keystore storage, and asymmetric signing and verification mechanisms.
Substrate Client and Parachain Configuration Review: Scrutiny of the Substrate client configuration and parachain setup, including chain specifications.
Consensus Mechanism Review: A thorough review of the consensus process for robustness and resilience.
Substrate FRAME Pallets and Runtime Implementation: Analysis of Substrate FRAME pallets usage and the overall runtime implementation, focusing on security against standard attacks.
Pallet Reviews: Focused reviews of the xcm-handler and thea-council pallets.
RPC Implementation Review: Evaluation of RPC implementation for vulnerabilities.
Code Implementation Assessment: Assessment of code quality, static code analysis, test coverage, and benchmarking.
Attack Scenario Analysis: Rigorous analysis of various attack scenarios, including gas, race conditions, stack attacks, DoS, state implosion, and access control bypass.
Protocol and Node Testing: Conducting environment setup for end-to-end synchronization tests, consensus tests, and transaction tests.
Runtime and Fuzz Tests: Execution of fuzz tests to check runtime vulnerabilities.

The high scores from such a reputed auditor are evidence of our commitment to maintaining the highest standards of security and technical proficiency across Polkadex products.
– Pavan Kanteti, Product Manager at Polkadex

This meticulous approach highlighted not only Polkadex’s dedication to maintaining high security standards but also its position as a unique orderbook-based DEX offering centralized exchange features, such as high-frequency trading, market orders, and zero fees.

This audit rigorously assessed the robustness, security, and technical proficiency of Polkadex’s systems. All these components scored impressively high:

Orderbook v2 with 9.1
Layer 1 Parachain with 9.6
Polkadex network and Thea Bridge with 9.4

Notably, in all three audit stages, Polkadex systems got 10 out of 10 for Security Level.

Our blockchain protocol audit with Polkadex has underscored their dedication to enhancing code quality, architecture, and security. The notable improvements they’ve made across these domains are reflected in the high audit scores, showcasing a fortified approach to safeguarding crypto assets and providing secure decentralized trading.
– Luciano Ciattaglia, Director of Services at Hacken

All in all, Polkadex stands out in the DEX landscape with its blend of centralized-like features and direct, peer-to-peer trading facilitated by the advanced capabilities of the Polkadot network, as well as secure implementation.