blex.io

Summary

Blex.io is a perpetual trading platform where users can provide liquidity and buy and sell perpetual futures contracts. Blex allows traders to speculate on the future price movement of an underlying asset, such as ETH or BTC, without owning the asset itself. Traders are provided with the option to use leverage, allowing them to control larger positions with a smaller amount of capital, which can amplify both potential profits and losses. A funding mechanism ensures the contract's price closely tracks the underlying asset's spot price. Traders who hold positions in the contract pay or receive funding based on the difference between the contract's price and the spot price. A liquidation mechanism is also implemented to manage the risk of highly leveraged positions. If a trader's position moves against them to a certain extent, their position may be forcibly closed (liquidated) to prevent further losses. Users also have the option to provide single-sided liquidity, generally USDT, to earn rewards via protocol fees. The provided liquidity is then used to fund the trading aspect of the protocol. During the audit we found 50 issues, ranging from informaitonal to high severity. Reoccuring issues have been high code complexity and centralization of power. We further found that the test suite can be improved as well as code documentation and several best practices that may be implemented to improve overall code quality. <br> <br> **Update**: The Blex team has either fixed, mitigated, or acknowledged all issues in the report. Most issues (32 of 47) have been acknowledged. Many of these acknowledged issues will be fixed in future iterations, for example, BLX-2, BLX-5, and BLX-7. Other issues have been acknowledged as being part of the intended design, including BLX-8 and BLX-10. Finally, some issues were acknowledged but not fixed due to a lack of a specific exploit scenario, including BLX-41. We also note that the auditing team removed three issues from the initial report as they were false positives. The Blex team also implemented an additional test suite using Foundry. The new test suite includes standard tests and fuzz tests as well. We cannot fully evaluate the quality of the tests since there are multiple test suites without a unified coverage report. However, we encourage the Blex team to continue improving their tests.