BTblock Finds Serum Zero Day; Serum Fixes Immediately
BTblock, a blockchain security and code review firm, recently discovered a security risk concerning the use of the Serum DEX in the project during a review of code that touched Serum code. After further investigation, BTBlock realized it was a bug in the Serum DEX itself, opening a potential backdoor to a market. Thankfully, after reporting this, it was determined no markets or instances of the program were found to have been used with this backdoor.
The bug was caused by not checking for the SPL Token accounts' close_authority. The close_authority grants authorization to close the account (if the token balance is 0 or the account is in native mint).
If the bug was not discovered, a potential attacker could have initialized a market with "backdoored" vaults. After initialization, the vaults could have been be closed and reinitialized with delegate authorities. The initialized market would still point at the now reinitialized vault addresses, and the delegate field would only be checked by InitializeMarket instruction. The result would be that the attacker could clean out the vault.
The bug is particularly pervasive as it opens up a rug-pull scenario. BTblock immediately reported this issue to the Serum team. Serum directly scanned all current markets created following this report, and fortunately, did not find any with this property. Serum made an emergency bug fix and pushed it so that this backdoor was closed.
We applaud Serum DEX for being an open-source project. This helps the community with transparency and keeps projects secure. The “thousands of eyes on the code” idea is proven to be accurate as we now see that our open source strategy pays off in more adoption and higher security.
We thank Serum for taking security so seriously. Working with the security community is essential for a project as it will give all ethical hackers a way to support the community and be paid for their important work. In addition to a robust bounty program, it is equally important it is for any credible project that wants to succeed to have secure code reviews so that any issues are spotted early and resolved before anything catastrophic can transpire - this is key to the success and growth of any ecosystem. If you couple secure code reviews with a robust bug bounty program, the security posture is higher across the entire ecosystem.