This article is a development report of a Dex223 decentralized exchange.
We’re building an exchange to speed up adoption of the ERC-223 token standard. ERC-223 was created to solve a security problem in the older ERC-20 standard. Security issue of ERC-20 caused $200M losses on Ethereum in 2023.
Take a look at other Dex223 development reports.
Smart-contracts were reviewed in preparation to the launch. A number of security issues were discovered and most of them were fixed during this month.
You can find our smart-contracts here: https://github.com/EthereumCommonwealth/Dex223-contracts
Dex223 is based on Uniswap V3 source codes, those contracts that have Dex223 prefix (like Dex223Factory.sol) were changed. Contracts that remain with UniswapV3 prefix remained untouched.
Dex223 platform allows the creation of pools for any pair of tokens assuming that every token is available in two versions: ERC-20 version of the token and ERC-223 version. Once the pool is created it will not be possible to create the same pool for the same pair of tokens in the future. Dex223Factory is checking the correctness of the provided token addresses via the Token Converter.
In the older version of Dex223-contracts (commit 9462c93c72ca195ee44148cd2f8373edaba9fc24) it was possible to create a ERC-20 wrapper for an existing ERC-20 tokens and then feed it onto the Factory as if the original token was ERC-223 version of itself and it's ERC-20-wrapper created by the Converter is it's ERC-20-wrapper (which in fact is true from the Converter's point of view).
This would create an incorrectly configured pool and fill the slot for that token pair. Therefore it would not be possible to create a correct pool for that pair of tokens in the future.
This vulnerability was fixed and in the current state of the contracts (commit 77ffd81ecc2c072949c9bbd7a0b539609e487e87) token standard introspection was improved. This vulnerability fix entailed an update in the Token Converter which was supposed to make identifying token standards more deterministic for other third party services that pull token versions from the Converter.
The Token Converter smart-contracts were updated to overwrite the logic of "default" interactions with the tokens. The token converter implements wrapERC20toERC223(...) and unwrapERC20toERC223(...) functions each of which converts either ERC-20-Wrapper to ERC-223 origin or wraps a ERC-20 token depending on whether the inputted ERC-20 token is a wrapper itself or not.
Similar logic is implemented within tokenReceived(...) ERC-223 reception function.
However, since it is not possible to determine a standard of any given token with sufficient precision within the Converter contract - it just allows anything to have a wrapper of any standard which means you can create an ERC-20-Wrapper for an ERC-20 token or you can create an ERC-223-Wrapper for an ERC-223 token. In some cases this wrapper contract shadowed an existing wrapper of a different standard i.e. if you would try to wrap an ERC-20 token and expected to receive it's ERC-223-Wrapper to your address the Converter could deliver the ERC-20-Wrapper instead (as if your original token was ERC-20).
This could interrupr the workflow of Dex223Pools and therefore the Converter was updated to prevent such situations.
Introspection methods allow contracts to gather information about other contracts and whether they implement some functions or not. The main method of introspection on Ethereum is ERC-165 which is completely useless when dealing with ERC-20 and ERC-223 tokens unfortunately since it only allows to gather data on the signatures of functions that a token contract may implement. ERC-20 and ERC-223 standards both have the same function signatures and in some particular cases it would not be possible to identify the standard by function signatures. Also, not every existing ERC-20 token supports ERC-165 introspection.
As the result, it was decided to operate under assumption that ERC-223 tokens implement an additional function standard() returns (string memory) which explicitly declares that these tokens are ERC-223. All the ERC-223-Wrapper tokens created by the Converter always implement this function. We also assume that any original ERC-223 token must implement this introspection function in the future.
However it proved to be inefficient to rely on the earlier defined string memory return values as it is not possible to compare byte arrays or strings in Solidity as of current 0.8.25 version. This would mean that any third party service would spend unnecessary high quantities of gas to perform a simple check "whether a contract is ERC-223 or not" even if the contract supports the default introspection method via the standard() function.
As the result, the Converter as well as the standard introspection method of ERC-223 were updated to rely on uint32 returned values. This minor update made the existing Converter as well as the deployed D223 token incompatible with the latest changes so therefore this legacy contracts have to be updated.
We've implemented the native currency unwrapping for ERC-223 tokens. As the result, if WETH would have it's ERC-223 version in the Converter and it would be tradeable on Dex223 - it would unwrap to the native currency (ETH) as it's ERC-20 version without any problems.
It is not recommended to use ERC-223 WETH however since it may cause significant increase in gas fees. We will probably deploy a special ERC-223 ETH wrapper to lower the gas fees of interacting with Dex223 contracts.
Significant part of the code is still pending final tweakings.
This includes:
- Review of the
depositERC20/convertERC20functions of the Converter which were removed during the fix of the default logic of token wrapping. - Fee system of Dex223. Support of the governance functions for future DAO structure.
exactOutputSingle(...)swap method for ERC-223 tokens.- Multicall contraact may be optimized for ERC-223 calls.
- Wrapped Ethereum for ERC-223 version.
- Direct swapping and
delegatecallopcode usages in Dex223 contracts. These functions were not allowed in UniswapV3 but in Dex223 we have permitted the usage of them. It needs to be double checked as to not introduce any security flaws with this updates.
We expect this parts to be covered in the next month.
The token converter's code was updated and uploaded to the "Reference Implementation" section of ERC-7417: https://eips.ethereum.org/EIPS/eip-7417
This ERC is moving to review status and will be finalized in the near future. After that the Converter will be deployed on Ethereum mainnet and we will proceed to the deployment of the main Dex223 contracts.
ERC-223 standard introspection method is pending approval yet.
Since both the introspection method and the Converter were updated - D223 token which we used to sell during the ICO should also be updated.
There is a new implementation and it's currently undergoing a security audit. We are waiting for it to be completed. The new version of D223 token will be listed on BitMart exchange after the completion of the security review.
Dex223 Team will provide the instructions on how to upgrade your tokens as soon as the new version is deployed on Ethereum mainnet.
BitMart listing agreement was finalised. D223 token will be listed on BitMart exchange after the security audit completion.
Our longest ICO round is finished and you can find a completion data in our financial report.
We've made a snapshot of pD223 balances on Callisto chain. We will distribute D223 tokens to the buyers of pD223 before the launch. You can find a list of addresses here: EthereumCommonwealth/Roadmap#76
You don't need to do anything if you can see your address in the JSON file in the issue 76.
If you have any questions feel free to ask them at the comment thread of the github issue or in our telegram channel: t.me/Dex223_defi
We are finalizing the agreement with a security auditing company. Also https://github.com/gorbunovperm agreed to perform a security audit of the platform which is really appreciated since he is familiar with the workflow of ERC-223 tokens (which is uncommon among Ethereum security auditors).
We can declare that Dex223 security audits has officially begun.
We keep adjusting the code to work with the latest updates in the smart-contracts. The whole Dex223 test prototype was re-deployed on Sepolia and BSC testnets. You can find the relevant version here: https://test-app.dex223.io/
We've added native currency pools and you can now officially buy test ETH with our tokens!
Pool page was finalized and it's mobile version must be up-to-date with the latest design changes now.