Grant for security and design contributions to AOB and Dex v4


This is an application for a grant from the serum DAO to recognise the many critical bug reports and suggestions that the github user Henry-E (me!) has provided during the development process of serum dex v4 and the agnostic orderbook.

The post is broken down into bugs of varying severity reported both before and after the audit. As well as a number of suggestions regarding issues with the design of the aob and dex v4, many of which led to changes being made.

Hopefully each contribution can be evaluated by members of the serum DAO and an appropriate grant for each can be suggested, which can then be combined into a single governance proposal and put to a vote!


Introduced Post audit

Order index bug in cancel order function

Low / Medium severity - ability to brick the event queue and prevent maker orders from being processed. This bug would have allowed a malicious actor to freeze maker orders from being processed on all markets, something that could have caused particular issues during periods of high volatility and trading. The bug was confirmed by ottersec and passed onto bonfida.

It’s important to note this bug was not present during the audit ottersec performed; bonfida made changes to the main branch of the dex v4 repo without notifying ottersec. At this stage dex v4 and AOB were considered fully audited and this bug would very likely have made its way onto mainnet.

(Work done in conjunction with another person who should receive 20% of whatever bounty is determined.)

Pre audit

Orderbook booting bug

Critical Severity - Orderbook removes all excess orders as if they were bid orders. Would enable draining all funds from one of the two vaults, either quote or base vault.

Incorrect consume events processing

??? Severity - Locked token values were not being decreased in consume events calls

Fixed point rounding

??? Severity - issues with rounding when using fixed point, can be used to increase locked token values

Smaller bug reports


Major changes made

FP32 issue with currency decimals

Issue with FP32 when bid and quote currencies have vastly different decimal places - Led to a redesign of the dex v4 to account for this issue

Using AOB as a crate instead of a program

Suggested that the AOB should be used as a crate instead of deployed as a program; suggestion was made in this github issue, as well as in multiple telegram conversations and during in-person conversations at the Breakpoint conference . Eventually AOB was redesigned as a crate with all the program functionality removed and the existing functions simplified as a result.

Missing client order ids

Highlighted missing feature, client order ids, that was present in serum dex v3

Smaller changes made

1 Like

Henry’s contributions are immense, I’d suggest at least at least 75,000-100,000 SRM minimum for a retroactive grant. Possibly additional for further efforts.

Security research is very costly to procure, and that’s if you can even get a person.

Henry has been doing a lot of good work and I think it’s only fair that he gets compensated for it.

1 Like