0x (pronounced “zero-x”), an Ethereum-based project looking to raise $24 million in an initial coin offering (ICO) today, has some missing elements, according to a group of computer scientists who recently examined the project under a microscope.
The 0x ICO comes in the midst of a string of ICOs that have raised a total of $1.3 billion in funds this year for fledgling projects built on blockchain platforms such as Ethereum, according to the news site CoinDesk.
After reviewing the project's publicly available Github code and white paper, researchers at Cornell Tech’s Initiative for Cryptocurrencies and Contracts (IC3), summarized their findings in a blog post on Sunday. According to their report, the 0x code is incomplete.
0x, however, claimed in an earlier blog post that it planned to distribute its tokens during the ICO using "fully functional" and "audited" smart contracts, a statement that might have led some to believe the protocol was at least nearly complete.
Specifically, IC3 researchers say the 0x project does not fully specify how it plans to use its ZRX digital token in a proposed governance scheme to upgrade the protocol, a missing link that brings into question the potential for security risks.
After this story went live, I wrote 0x for comment. In response, Will Warren, co-founder of 0x, sent an email explaining that 0x intentionally built a modular, upgradeable system so that a governance system could be "plugged in" at a later date.
Referencing a previous Ethereum project where a code weakness resulted in a $50 million theft, he added that it does not pay to push out a complex system of smart contracts for governance too hastily.
"The DAO clearly demonstrated the catastrophic damage that can be done when a poorly designed smart contract is put into production," he wrote.
Warren also criticized IC3 for posting their analysis 36 hours before the project's token sale when the 0x team was in "crunch mode." He added that 0x would be releasing a full response to the IC3 article in coming weeks.
Before delving deeper into IC3's evaluation of the 0x protocol, it is helpful to understand what the 0x project aims to do.
What Is 0x?
Put simply, 0x is a decentralized exchange that allows users to trade different types of Ethereum-based tokens directly. Decentralized exchanges are getting a lot of attention these days, mainly because they avoid a single point of failure.
In contrast, centralized exchanges, like Coinbase, Kraken, and ShapeShift, carry the risk of theft because they require users to put their money in the hands of a third party.
Two of the most notable virtually currency heists occurred at Mt Gox in 2014 and Bitfinex in 2016, resulting in losses of $460 million and $72 million, respectively. ShapeShift was also the victim of a string of thefts in 2016, resulting in $230,000 in losses.
So, the whole idea of a decentralized exchange is to ensure trades happen on the blockchain, where funds are more secure.
To explain further, 0x works something like this: A “maker” broadcasts his or her order. A "relayer" then posts that order in an off-chain order book and a counterparty (called a “taker”) accepts the order by pushing the transaction into the project’s DEX smart contract.
Role of the Token
At this point, it is important to mention that for a blockchain project to legitimately sell its token in an ICO, that token needs to play an integral role in the project's protocol. Otherwise, the token qualifies as a security, subject to the rules of the Security and Exchange Commission.
So, based on that, how does 0x incorporate its token? According to the project’s white paper, the ZRX token interacts with the 0x protocol in two ways. In the first way, the token is used to pay the relayer fees for listing a trade in the order books.
But, IC3 researchers argue that having a dedicated token to pay for relayer fees is unnecessary given users could simply pay those fees in ether, the native currency of the Ethereum blockchain.
As an example, EtherDelta, an Ethereum-based decentralized exchange that has been operational for more than a year, doesn't require a special token. (It didn't have an ICO either.) Instead, users pay transaction fees in ether. Additionally, in EtherDelta, makers post trade orders to off-chain books on their own, without going through a relayer.
That brings up the question of why 0x even needs relayers. Not only that, but since 0x makers and takers would be able to identify one another through a publicly viewable order book, they could easily sidestep relayers and trade point to point, creating another potential problem, explained Cornell Tech professor and IC3 co-director Ari Juels, who led the research on the 0x project.
"This could cause the system to erode in that the incentives to create order books for a large segment of the community [relayers] are undermined," he said.
The second way that the 0x token integrates with the protocol is through governance. Generally, in a governance scheme, users vote on changes to the protocol and their votes are weighted, depending on how many tokens within the system they own. In theory, this would allow a smooth transition in upgrades to the protocol.
Unfortunately, the details for how this is supposed to work are missing from the project’s white paper. Additionally, Juels said his team found nothing in the code to support the governance scheme either.
“The strange thing is, the only good reason for [0x] having a token at all is for the purpose of governance. Yet, there is nothing in the paper or the code about this essential part of the token,” he said.
This raises questions about the security implications of the governance process in 0x, explained Juels. For instance, if the project were to rely on a simple majority vote to approve updates to its DEX smart contract, an attacker could simply buy up 51% of the ZRX tokens and then vote to replace the critical DEX smart contract with with a malicious one, sending all of the assets to himself.
The IC3 blog post also outlines several limitations inherent in decentralized exchanges. These limitations, the group argues, could open up decentralized exchanges to abuses such as arbitrage and front running.
Juels said his team will likely continue looking into other ICO projects, many of which, he feels, are not properly scrutinized before going to ICO. "We plan to do more of this work," he said.
Bron: Forbes
Reactie plaatsen