Security agency: 0x Exchange contract malicious pending order can disrupt normal trading order

Yesterday, the decentralized exchange agreement 0x project party said it found serious security holes. PeckShield security personnel followed up and found that the 0x Exchange contract was flawed in verifying the order signature, causing the attacker to make a malicious pending order, which in turn sold the user's digital assets at a low price, disrupting the normal trading order. Fortunately, the project side found and fixed the problem in time. As of now, no real attack has occurred and no digital asset loss has occurred. 0x protocol The contract code for this vulnerability is mainly the problem of writing the signature verification function in the inline assembly code. The direct writing of the assembly code is very useful in the case that the compiler cannot optimize the contract code, and the controllability is stronger and can be improved. Execution efficiency reduces the consumption of Gas, but writing Solidity assembly code requires a very familiar understanding of the EVM operating mechanism, otherwise some features of EVM may cause the written contract to not work properly, and also lack the various security mechanisms provided by Solidity. PeckShield security personnel hereby remind developers to check the relevant code of the contract in time to avoid the security risks caused by similar problems. For DeFi projects such as DEX, the project party needs to find a qualified security company to audit security risks before going online.