Back to blog
Report
Publication date:06.04.2025
Author:To To Bugelman

DEX223. Development Report for April-May

DEX223 addresses hidden issues in the Сritical components of the Сryptocurrency Ecosystem.

report aprel-may

The developers of Dex223 have published a development report for the period April-May. 

Previous reports can be found here: DEX223_development.

The report focuses on resolving issues within the DEX core, including both the exchange functionality and the additional margin trading module.

Complex USDT design

So it turns out that the USDT contract based on ERC-20 is not compliant with the ERC-20 standard. 

Allowances in the ERC-20 standard: 
function allowance(address owner, address spender) external view returns (uint256);

Allowance in the USDT implementation:
function allowance(address _owner, address _spender) public constant returns (uint remaining) {

        return allowed[_owner][_spender];

}

The stumbling block is a piece of code — public constant

The visibility modifier itself — public instead of externaltechnically works, but is slightly less gas-efficient if called externally. However, the constant parameter instead of view is an obsolete style. In newer versions of Solidity (>=0.5.0) constant is no longer allowed for functions. 

In the USDT contract implementation, you cannot directly change an existing non-zero resolution (allowance) to a value other than zero. To change the allowance, you must first set it to zero and then set the new value. See GitHub for a more detailed explanation. Gas allowance is doubled. 

This deviation is introduced to protect against front-running attacks. In a standard ERC-20 implementation, if a user changes a permission from one value to another, an attacker can take advantage of the time window between transactions and perform an unwanted operation. Requiring the permission to be set to zero first, before setting the new value, reduces the risk of such attacks. There is a fairly detailed article explaining the approval and authorization methods at nulldog.com.   
Difficulties for developers:

  • Unusability increaseAllowance and decreaseAllowance functions proposed for safely changing resolutions do not work with USDT, as they assume that it is possible to change the resolution without first setting it to zero. There is a good example with Alice and Bob on the OpenZeppelin Forum.
  • Additional logic needed: Developers should consider this behavior when integrating USDT into their applications. The resolution should be explicitly set to zero before changing it.
  • Potential errors in contracts: If a contract does not take this USDT behavior into account, attempting to change the permission may result in an error and transaction rollback (mixbytes report).

Dex223 developers integrate the SafeERC20 library, a safe wrapper over the standard ERC-20 calls. This allows the allowance value to be raised without first resetting to zero. A single transaction will check the allowed number of tokens and raise the allowance if necessary. 

After the changes were made, the updated contracts were again verified by Beosin. Against the backdrop of ongoing hacks, verifying any code change adds points to the project. 

Due to the smart contracts vulnerability, there were 2 major incidents in May:

Measure seven times, cut once.

During public testing, one of the active users fell into a trap while providing liquidity. An incorrectly specified address in the withdrawal request resulted in the recipient address being set to the “NonfungiblePositionManager” contract itself. To fix this issue, changes were made to the frontend code of DEX223. The team contacted the user to return the funds.

NonfungiblePositionManager is a contract that manages a liquidity provider’s position. The user receives an NFT in the ERC-721 standard, which reflects the parameters of the position, including the price range for providing liquidity — concentrated liquidity. It was first introduced in Uniswap v3. After the restrictions on using Uniswap v3 expired, liquidity management mechanisms using ERC-721 tokens became the standard for DEX platforms. Rapid adoption was driven by the concentrated liquidity mechanism, which mitigated the issue of impermanent loss. Another advantage of ERC-721 is its similarity to ERC-223: ERC-721 NFTs cannot be sent to contracts that do not implement the speciaERC721TokenReceiver interface, making them harder to lose by mistake.

Before the release of Uniswap v3, DEXs issued ERC-20 standard tokens to liquidity providers in exchange for the funds they contributed.
To combat impermanent loss, each provider had to develop their own strategy and constantly monitor the market. There was a real risk of losing ERC-20 standard tokens by sending them directly to a contract, which would result in the provider losing all access to their liquidity position. Additionally, scammers sent fake LP tokens to user addresses, waiting for an approve transaction for the counterfeit token.

Developers have a dedicated bug report list where the status of identified issues can be tracked.

Development of the Margin Trading Module

The implementation of the margin trading contracts and the “price oracle” has been completed. The smart contracts have been deployed on the Sepolia testnet.

The margin trading interface is still under development, and its design is available on Figma.

The DEX developers are encouraging users to participate in the liquidation process. DEX223 will not have a built-in module for automatically liquidating positions.
Liquidation is explicitly declared an open and accessible function. Any user can become a liquidator by connecting their own scripts to DEX223. A liquidator's task is to monitor the borrowing market and report positions eligible for liquidation to the contract.

To diversify, the platform will have its own liquidation script. The platform needs a safety rope. A recent example, Loopscale, shows how dangerous unsecured loans can be. That platform launched on April 10, and by April 26 it had lost $5.8 million.

Conclusion

Detected errors in the UI and smart contracts required changes and further testing before deploying the contracts on Ethereum mainnet.
Considering that the lifeblood of the entire crypto ecosystem — USDT, the stablecoin with the largest market capitalization — has subtle compatibility issues, the platform required additional time. This is perfectly reasonable — no one wants to become the next Cork Protocol or another Cetus.

After the completion of all tests, the smart contracts will be redeployed to the Ethereum mainnet, followed by the official launch of DEX223. According to the DEX223 roadmap, the next step after the official launch is the implementation of a revenue system for D223 token holders.

The developers express special thanks to all community members and Callisto DAO who are participating in testing DEX223 at every stage of development.

 

Buy D223 Tokens with Bitmart

 

Note: This analysis is entirely the author's vision. It is not a call to action or investment advice. 

This article is for informational purposes only and does not constitute financial advice. Investing involves risk, and you should consult a qualified financial advisor before making any investment decisions. Original reporting sources are credited whenever appropriate and as required.