Polkadex is a non-custodial peer-to-peer orderbook-based crypto exchange built on the Substrate blockchain framework. It provides an optimal trading environment with the benefits of both centralization and decentralization. In particular, it combines speed and affordability with self-custody and transparency.
Polkadex has undergone a comprehensive three-part blockchain protocol audit with Hacken.
The audit produced high scores for all major components of its systems:
Over the course of six months, Hacken’s premier blockchain protocol auditing team, led by a renowned Web3 security expert Luciano Ciattaglia, scrutinized every line of code and communicated with the Polkadex team. This was all in an effort to produce the most objective and accurate assessment possible.
We had the pleasure of working closely with Hacken to support their audit and determine the robustness of the Polkadex codebase, and its strength against possible security threats.
– Gautham J, Polkadex CEO and Co-Founder
This case study delves into the technical details of the Polkadex blockchain protocol audit, revealing the insights from our look into the backend of the trustless and secure architecture.
Polkadex is an order book-based exchange, contrasting with Automated Market Maker (AMM) models used by DEXs like Uniswap and PancakeSwap. It integrates centralized exchange-like features within a peer-to-peer trading framework. Advantages include interoperability, limit and market orders, high-frequency trading, and trading bot support.
Unlike many DEXs struggling with blockchain limitations, Polkadex benefits from the customizability of the Substrate framework and a parachain on Polkadot, enabling the current offering of price-efficient, trustless trading pairs of Polkadot ecosystem assets at CEX-like speeds and zero network or trading fees, resolving issues like slippage and high network fees (due to congestion) common in Ethereum-based DEXs. Polkadex’s THEA interoperability layer enables future connections with other layer 1 chains like Ethereum, as well as asset support for the connected chain’s tokens.
Let’s now explore the audit findings that highlight Polkadex’s technical and security features.
Central to Polkadex is Orderbook v2, a decentralized layer 2 exchange that enables rapid transactions. It incorporates AWS infrastructure, OCEX pallet for fund security, a precise calculation Engine, State Change Handler for data coordination, Orderbook Worker for client-side logic, and Lambda functions for blockchain interaction.
In our audit, we delved into the intricacies of Orderbook v2, scrutinizing the next iteration of trading logic that powers the Pokedex ecosystem. This assessment included an in-depth review of the updated orderbook mechanisms, the layer 2 Trusted Execution Environment (TEE), and the robust AWS infrastructure that underpins data exchange and user registration processes.
We found a high-severity SQL injection vulnerability in the candlestick/ticker lambdas and the state-change timestream client. We recommended using prepared statements, input value validation against allowed patterns, and using domain-specific types over strings.
The Polkadex team quickly fixed the identified vulnerabilities in the Orderbook v2, achieving an impressive score of 9.1 with no critical issues found.
For a detailed understanding of all audit findings and resolutions in the Orderbook v2, dive into our complete audit report.
Focusing on the Layer 1 parachain, this audit segment examined Polkadex’s integration with the Polkadot network, particularly its use of Cross-Chain Message Passing (XCMP) and Cross-Consensus Messaging (XCM).
There were 1 critical, 2 high, 5 medium, and 3 low severity vulnerabilities, totaling 11 issues identified, all of which were fixed. This led to an impressive score of 9.6.
An identified critical vulnerability involved the
withdraw_asset extrinsic, which could lead to DoS attacks due to nonce dependency issues. The recommended solution involved account-specific nonce management and enhanced signature verification, effectively mitigating the risk of nonce mismatches and DoS attacks.
Access the full audit report for a comprehensive insight into the Substrate Framework’s audit results.
This audit stage pivoted its focus to the THEA Bridge technology and the general Layer 1 infrastructure of Polkadex, encompassing the OCEX pallet foundational for fund security, the core Engine, and the various Lambda functions that maintain the platform’s operational integrity.
We found 1 high, 2 medium, and 1 low severity vulnerabilities. All issues were resolved, resulting in a total score for this system of 9.4.
A high-severity vulnerability was discovered in the
pallet-ocex-lmp pallet, where an error during the insert process into the
FeesCollected storage could crash nodes. The issue caused by an unchecked conversion from an unlimited vector to a
BoundedVec was addressed by introducing validation checks prior to conversion, ensuring the robustness of the blockchain against malformed inputs and DoS attacks.
To explore each issue and its fix in the Thea Bridge Technology audit, see our complete audit report.
During the comprehensive audit of Polkadex, our blockchain protocol audit team performed the following reviews and tests:
The high scores from such a reputed auditor are evidence of our commitment to maintaining the highest standards of security and technical proficiency across Polkadex products.
– Pavan Kanteti, Product Manager at Polkadex
This meticulous approach highlighted not only Polkadex’s dedication to maintaining high security standards but also its position as a unique orderbook-based DEX offering centralized exchange features, such as high-frequency trading, market orders, and zero fees.
This audit rigorously assessed the robustness, security, and technical proficiency of Polkadex’s systems. All these components scored impressively high:
Notably, in all three audit stages, Polkadex systems got 10 out of 10 for Security Level.
Our blockchain protocol audit with Polkadex has underscored their dedication to enhancing code quality, architecture, and security. The notable improvements they’ve made across these domains are reflected in the high audit scores, showcasing a fortified approach to safeguarding crypto assets and providing secure decentralized trading.
– Luciano Ciattaglia, Director of Services at Hacken
All in all, Polkadex stands out in the DEX landscape with its blend of centralized-like features and direct, peer-to-peer trading facilitated by the advanced capabilities of the Polkadot network, as well as secure implementation.
Subscribe to our newsletter
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.