Introduction
Vertex is a decentralized exchange (DEX) that combines the performance and liquidity of centralized trading platforms with the transparency and security of on-chain settlement. Its innovative architecture spans spot and perpetual markets, unified liquidity, and embedded money markets, providing an all-in-one solution for traders ranging from casual enthusiasts to seasoned professionals. Key features of the Vertex include:
Scope of the Engagement
Our audit with Vertex began in May 2024 and spanned 14 person-weeks. The focus was on Vertex’s core components, including the spot and perpetual trading engines, hybrid order book architecture, and cross-margin systems. These elements were critical to the platform’s operations and user experience, handling significant transaction volumes across multiple chains. The audit’s primary goals were to identify vulnerabilities, validate the protocol’s logic, and recommend optimizations to enhance the platform’s security and reliability.
Challenges in Securing Protocols like Vertex
Decentralized exchanges (DEXs) face unique security challenges due to their reliance on smart contracts, liquidity pools, and user-driven interactions. Ensuring the safety and functionality of these systems is paramount to maintaining user trust and preventing financial losses.
Common Security Vulnerabilities in DEXs
1 - Oracle Manipulation
Oracles bridge the gap between blockchain and real-world data, providing essential information like asset prices. However, they are prime targets for attackers aiming to manipulate the data fed into smart contracts. By compromising or influencing oracle data sources, attackers can alter asset valuations, leading to wrongful liquidations, inaccurate interest rate calculations, or unauthorized borrowing beyond collateral limits.
A notable example is the Polter Finance Exploit, where an attacker manipulated the price oracle to drain approximately $12 million from the platform.
2 - Reentrancy Attacks
Reentrancy attacks exploit the interaction between smart contracts and other contracts or tokens, allowing attackers to repeatedly call protocol functions before the initial transaction completes. This can bypass security checks like LTV ratios and enable unauthorized borrowing or asset manipulation.
A prominent example is the Penpie exploit, where an attacker leveraged a reentrancy bug to drain approximately $27 million from the platform.
3 - Liquidity Pool Exploits
DEXs often rely on liquidity pools to facilitate trading. Vulnerabilities in pool contracts, such as improper input validation or unchecked arithmetic, can be exploited to drain liquidity by manipulating token balances or skew pool reserves, leading to significant slippage and value loss.
A prominent example is the DeltaPrime exploit, where attackers exploited unchecked logic in smart contracts to drain $4.85 million from the pools across Avalanche and Arbitrum.
Audit Date: 2024-05-09
Language: Solidity
Type: Code Audit
Results and Findings
At Three Sigma, we collaborated closely with Vertex to conduct a thorough audit of its protocol, focusing on identifying critical vulnerabilities and recommending actionable improvements. Our efforts were aimed at fortifying the protocol’s core systems while ensuring operational reliability and user safety.
Key Critical Issue
Spread liquidation could over-debit a trader if quote + insurance balance turned negative
- Description:
ClearinghouseLiq::_assertLiquidationAmount()
recalculated basisAmount
using an unchecked negation of (quoteBalance + insurance) / price
, which could increase the liquidated size whenever the net quote was negative, spiralling bad-debt. - Resolution: Added guard
if (quoteBalance + insurance <= 0) { basisAmount = 0; }
, plus invariant tests that forbid negative-quote paths.
Notable High-Severity Issues
state.cumulativeDepositsMultiplierX18
may become 0 or negative, leading to loss of funds
- Description: During socialization of a short spot account, the multiplier that re-denominates all deposits could be driven below 1 (or even negative). If it hit 0 every subsequent deposit would revert; if negative, fresh collateral would be treated as a short, exposing users to liquidation with no health check.
- Recommendation: Impose a hard floor: revert any operation that would set the multiplier ≤ 0 and add tests to guarantee
multiplier ≥ 1
.
OffchainExchange::swapAmm()
accepts negative prices, enabling donation attacks
- Description:
quote = -amount × price
assumes price > 0
. An attacker supplying a negative price passes the curve check yet credits both base and quote to the pool, artificially inflating LP value and stealing later deposits (donation attack). - Recommendation: Require
txn.priceX18 > 0
and verify the trade respects the AMM invariant (k
non-decreasing) before state updates.
ClearinghouseLiq::_finalizeSubaccount()
neglects LP balances
- Description: Finalization repays bad-debt from insurance or socializes it once an unhealthy account shows no positive asset balances. LP tokens were not counted, letting an attacker be “finalized” while still holding LP shares whose real-world value exceeds their book health, thereby draining insurance profitably upon later LP burn.
- Recommendation: During finalization, revert if the sub-account holds any LP tokens; require the liquidator to burn or transfer LPs first.
In conclusion
Impact of the Audit
The audit significantly improved Vertex’s security and operational reliability. By resolving critical vulnerabilities and implementing targeted enhancements, the platform is now equipped to provide a seamless trading experience with robust safeguards against potential exploits. Vertex’s commitment to addressing these issues reinforces its reputation as a secure and trustworthy DEX, capable of scaling alongside the evolving needs of its users.
Lessons Learned
The audit of Vertex highlighted the importance of proactive security measures for DEXs. Key lessons included the need for rigorous input validation in critical mechanisms, robust defenses against reentrancy, and constant evaluation of oracle dependencies to mitigate manipulation risks. The collaborative process with the Vertex team underscored how iterative improvements and a security-first mindset can bolster a protocol’s resilience against emerging threats.
Our Value
We approached Vertex’s audit with the goal of delivering actionable insights and long-term solutions. Our methodology went beyond identifying vulnerabilities to emphasize best practices that strengthen the protocol’s resilience in a dynamic and competitive ecosystem.
By collaborating closely with Vertex, we ensured that critical issues were resolved effectively, and the platform’s functionality was optimized for both security and efficiency.