(Whenever a critic points out that the gateway between exchanges and actual money is the obvious control point for cryptocurrencies, advocates will cite EtherDelta as a totally decentralised counterexample — even though that doesn’t answer the objection, unless the corner shop started accepting ICO tokens when I wasn’t looking.)
Decentralisation is always more costly than a centralised approach, and this is true here as well. Trades happen on-chain, so there’s opportunities for arbitrage, miners front running traders, race conditions and slow order cancellations. And despite being provably worse than a centralised exchange, the “decentralised” exchange is still controlled by a single entity; it’s not like FinCEN can’t just call Zack Coburn about EtherDelta’s KYC/AML compliance.
You can trade any ERC-20 token at EtherDelta, including ones they don’t know about yet. You just put the contract address into the web page address. So, for example, https://etherdelta.com/#0x27f706edde3ad952ef647dd67e24e38cd0803dd6-ETH lets you trade Useless Ethereum Token versus ETH.
The thief posted links to what they claimed were blog posts on http://emotionaltrader.tumblr.com/ , which immediately redirected to a Google redirect, and then to a link to EtherDelta with the exploit (which has been disabled). They apparently netted several thousand dollars.
I was looking at the EtherDelta code not long ago and concluded it was too terrible to save.
The trade engine is so closely coupled with the transaction code that it’s impossible to re-use it for anything else; There seems to be no simple way to test the software or indeed any unit tests at all; The UI is literally a cluster f— of code with no clear separation; The smart contract is a monolithic file where the author has apparently never heard of a module before; The smart contract can only be used for one purpose and the fee logic is so tightly coupled that it reads like spaghetti code; Nothing is documented, there is no documentation at all.
I am glad we abandoned this software. I got as far as installing it and did some tests but I could see that everything would have to be re-written from scratch with solid engineering if we wanted to use it for anything practical.
I almost forgot the best part: the EtherDelta “smart contract” has race conditions on every order where a person can race to take the same order. This means that it’s impossible to calculate the price of an asset reliably (it actually incentivizes sybil attacks) or scale the exchange to any amount of volume. I am honestly surprised that the exchange even works at all given these issues.
Obviously none of its financial code has been audited by anyone to my knowledge. It was thrown online by some “solidity developer” who doesn’t even understand how a trade engine works… I wonder just how much gas has already been wasted due to race conditions or how many people lost money from its multiple asymmetric pricing vulnerabilities. I think bot authors would love this exchange as there are highly malicious trading strategies that would yield insane profits if you know what you’re doing.
The attacker later updated the code of their malicious smart contract:
f`[¤ DATA <script> alert("powned") </script>
Your subscriptions keep this site going. Sign up today!