Recently, I’ve tried to trade on IDEX ‘decentralized’ exchange (https://idex.market). I’ve discovered that although it appears to be decentralized, it is in fact almost entirely centralized — and with currently ‘always in maintenance’ website, it really became a problem.
Note: in this story i’ll refer to different functions of IDEX smart contract, which you can read on etherscan (https://etherscan.io/address/0x2a0c0dbecc7e4d658f48e01e3fa353f44050c208#code) and which is described in IDEX API docs (https://github.com/AuroraDAO/idex-api-docs).
What am I talking about? Well, first of all, you have to deposit tokens or ether to begin trading — that means, using one of ‘deposit’ or ‘deposit token’ functions.
Note the lastActiveTransaction variable here. What it does is it saves the block number that deposit occured on.
The very same variable is assigned the block number in the trade function as well.
What happens next is you want to withdraw your tokens or ether from the exchange, and that’s what leads us to the interesting part. You see, the contract actually has two different function for withdrawing: withdraw and adminWithdraw. The one actually used when you click ‘withdraw’ on the website is adminWithdraw, and there’s a reason for that.
Let’s first look at the withdraw function:
Let’s look at the very first line: it’s a condition which check that current block number minus lastActiveTransaction block is SMALLER than inactivityReleasePeriod (which is set by admin using setInactivityReleasePeriod function) and is currently set to 100 000 blocks.
I.e. i deposited the tokens at 5557079, and i want to withdraw them at block 5557179. That means 5557179–5557079=100 which is < than 100 000.
If that condition is not met, the transaction fails. What that means is the following:
If you have executed any of the deposit, depositToken, trade functions in the last 100 000 blocks, you can’t withdraw your funds yourself!
How long does it take to mine 100 000 blocks, you ask? Well, according to average block time as of may 2018 (https://etherscan.io/chart/blocktime) is roughly 15 seconds. 15 seconds is 0.25 of a minute, that means 4 blocks a minute, and that means 25 000 minutes or nearly 416.6 hours or 17.361 days! Well, that’s a lot of time for a cryptocurrency prices to change.
‘But why can i withdraw then?’ — you could ask. It’s pretty simple: everything is handled using adminWithdraw function without such a restriction.
What actually happens is when you press the withdraw button on the website and sign the transaction, a request is fired to some backend, which signs your transaction with the admin’s private key (because of the onlyAdmin modifier) and sends it out to the blockchain.
