This is an application for a grant from the serum DAO to recognise the many critical bug reports and suggestions that the github user Henry-E (me!) has provided during the development process of serum dex v4 and the agnostic orderbook.
The post is broken down into bugs of varying severity reported both before and after the audit. As well as a number of suggestions regarding issues with the design of the aob and dex v4, many of which led to changes being made.
Hopefully each contribution can be evaluated by members of the serum DAO and an appropriate grant for each can be suggested, which can then be combined into a single governance proposal and put to a vote!
Low / Medium severity - ability to brick the event queue and prevent maker orders from being processed. This bug would have allowed a malicious actor to freeze maker orders from being processed on all markets, something that could have caused particular issues during periods of high volatility and trading. The bug was confirmed by ottersec and passed onto bonfida.
It’s important to note this bug was not present during the audit ottersec performed; bonfida made changes to the main branch of the dex v4 repo without notifying ottersec. At this stage dex v4 and AOB were considered fully audited and this bug would very likely have made its way onto mainnet.
(Work done in conjunction with another person who should receive 20% of whatever bounty is determined.)
Critical Severity - Orderbook removes all excess orders as if they were bid orders. Would enable draining all funds from one of the two vaults, either quote or base vault.
??? Severity - Locked token values were not being decreased in consume events calls
??? Severity - issues with rounding when using fixed point, can be used to increase locked token values
Issue with FP32 when bid and quote currencies have vastly different decimal places - Led to a redesign of the dex v4 to account for this issue
Suggested that the AOB should be used as a crate instead of deployed as a program; suggestion was made in this github issue, as well as in multiple telegram conversations and during in-person conversations at the Breakpoint conference . Eventually AOB was redesigned as a crate with all the program functionality removed and the existing functions simplified as a result.
Highlighted missing feature, client order ids, that was present in serum dex v3