DEV Community: ToTo Bugelman

Bug Bounty Dex223

ToTo Bugelman — Sat, 30 Aug 2025 17:38:39 +0000

A new player has appeared in the DeFi segment – Dex223. A DEX platform focused on the ERC-223 fungible token standard. The developers led by the anonymous security expert Dexaran are promoting ERC-223 as a safe replacement for ERC-20. It was recently announced that the DEX core is ready, with internal and external audits conducted. Dex223 announces the final stage before the official launch – the Bug Bounty program.
Dex223 invites researchers, blockchain engineers, and dApp developers to contribute to the security of the platform by receiving rewards for discovered vulnerabilities and errors.

Scope of Research

Not all Dex223 modules are covered by the Bug Bounty program, only the core, ready to enter the market.

What Bug Bounty participants can work on:

Smart contracts: all Dex223 contracts in the Ethereum mainnet and test networks (Dex223-contracts).
Web application: https://test-app.dex223.io.
Exchange interface: https://test-app.dex223.io/en/swap.
API: public and authenticated endpoints (including fiat money in/out).
Infrastructure: cloud services and deployment pipelines.

What is not included in the Bug Bounty scope:

MarginModule – margin trading module.
PriceOracle – price oracles required for margin trading.
Known issues:
Pool creation: Error when one token is ERC-20 Origin and the other is ERC-223 Origin with no existing ERC-20 wrapper.
Auto-conversion: No auto-conversion of ERC-20 wrapper tokens to ERC-223 Origin in pools that have only ERC-20-side liquidity for an ERC-20/223 pair.
Third-party services not owned by Dex223.
DDoS attacks.
Physical security assessment.
Social engineering.
A report can be submitted to the GitHub repository “dex223-bug-bounty”:
Click New Issue.
Choose a template: Bug Report, Feature Request, or Question.
Fill in what you found, where it is, and how to reproduce it.
Submit.

Error Levels and Rewards

Dex223 has differentiated 4 levels of problem severity and corresponding rewards:
Critical – 30M D223. A vulnerability that can completely disrupt the workflow of contracts.
High – 7M D223. A serious problem with serious consequences, but not affecting the entire platform.
Medium – 3M D223. May lead to loss of funds under certain conditions.
Information – 1M D223. Best practices, documentation improvements, low-impact issues.
Rewards are paid primarily in the platform’s native token D223. But there are exceptions for the possibility of payment in another cryptocurrency or bank transfer. It is also worth noting that Dex223 is considering the possibility of long-term partnership within special programs. The detailed structure of rewards, payment periods, and conditions can be read on GitHub Bug Bounty.

A Good Opportunity

Not every day does a new player appear in the DeFi sector with innovations different from the existing market.
Dex223 has two unique features: support for both ERC-223 and ERC-20 token standards; hybrid liquidity pools capable of operating without splitting into separate pools, which in itself positively affects the platform’s liquidity and slippage in trading operations. Dex223 also implements one of the safest types of margin trading – encapsulated. It is all the more interesting for researchers and dApp engineers to participate in Bug Bounty Dex223. In addition to financial benefits, there is an opportunity to work on ERC-223 and dApps based on it, thereby increasing one’s qualifications and gaining recognition in the community, and with the significant spread of ERC-223, possibly being among the first on the crest of the wave.

Useful links:
Problem report submission page “dex223-bug-bounty/issues”.
Contact with developers: Telegram or Discord.
Official blog of Dex223.

Solidity. Hooks in smart contracts.

ToTo Bugelman — Thu, 31 Jul 2025 13:02:10 +0000

Solidity. Hooks in smart contracts.

ToTo Bugelman — Sat, 28 Jun 2025 15:58:14 +0000

Introduction

Users rarely give much thought to the smart contract logic of EVM blockchains. Especially for newcomers to cryptocurrency, it may seem that such a variety of systems and applications on them have always been there, but this is not the case. Let's break down what Hooks are, their development in smart contracts and security aspects.

The most common programming language for EVMs is the Solidity language. However, Solidity is considered to be a rather complex language due to static typing and little flexibility compared to other languages, such as Rust.

In fact, the reason is that Solidity was essentially designed for transactions and simple programs - smart contracts in the financial industry.

Of course, today we have NFTs used in the arts or to represent property rights. Most blockchains now also allow for storing manufacturing and supply chain data thanks to increased block size. But this progression isn’t just about technology — it reflects a deeply human trait: the drive to evolve our inventions beyond their original purpose.

Just as the wheel once powered carts, then mills as a waterwheel, and eventually steamships as a propeller, blockchain technology is undergoing a similar transformation — expanding its utility in unexpected ways.

It should be remembered that EVM-system is a distributed and fault-tolerant computer, but its resources are very limited compared to server monsters and that remains a significant constraint on what can be built.

By placing hooks

A hook is an event handler or interceptor, when an event occurs, the desired action is performed.

Hooks were not born in Solidity, they came to it from other programming languages. For example, it is no exaggeration to say that JavaScript (JS) consists of Hooks for any event occurring with an object.

To illustrate, let's look at the code of the NFT listing function on the marketplace in TypeScript:

import { useRouter } from "next/router";
…
const Create = () => {
  // Next JS Router hook to redirect to other pages
  const router = useRouter();
 …
async function handleCreateListing(e) {
…
// If the transaction succeeds, take the user back to the homepage to view their listing!
      if (transactionResult) {
        router.push(`/`);
      }
} catch (error) {
      console.error(error);
    }
…
}
}

The hook used here is useRouter, a component of the Next.js framework, which is an extension of React. After a successful transaction -- creating an “item”, the listing contract will navigate to the root page of the site. Otherwise, an error will be returned.

Hooks in Solidity and Security Aspects

The first Ethereum block was mined in July 2015, the first DEX appeared only 3 years later, and trading bots even later, so the main application of smart contracts at this time is ICO. The contract's task is to accept ETH and send ERC-20 standard tokens to the investor.

Solidity out of the box contains a receive() callback function for native coins; it can be used to handle the event of the recipient contract matching the native coin. However, unlike native coins, ERC-20 tokens do not know how to process a transfer to ineligible contracts, Hooks were simply absent in their logic. The consequence was multi-million dollar losses that still occur to this day.

Noticing this significant vulnerability an anonymous developer Dexaran developed a smart token contract using a Hook similar to the basic receive() function, formalizing it as an ERC-223 standard in 2017. In ERC-223, the Hook tokenReceived() is called when sending tokens: if the target smart contract has this Hook in its code, it will receive the tokens and update its state (credit them to its balance), if not, the token transfer will be canceled.

A similar concept of using Hooks will be further adopted by standards trying to improve and expand the functionality of ERC-20: ERC-677; ERC-721; ERC-777; ERC-1337 and others.

However, the use of callbacks introduces a security vulnerability that allows for a re-entry attack.

Re-entry attack is one of the most common attacks, such as The DAO hack that split the Ethereum community. Even in 2025, hacks involving reentry attacks are occurring, which is rather indicative of developer competence. ReentrancyGuard or CEI-Pattern integration is sufficient for prevention.

Separately, the ERC-777 standard is worth mentioning. ERC-777 promoted the use of ERC-1820, a registry of external Hooks smart contracts and their corresponding target contracts. In theory, ERC-1820 allowed for the extended functionality of contracts that did not have Hooks inside them. The complex chain of three contracts not only increased the cost of gas to execute transactions, but required high competence from the developer, and the user was required to trust the provider of external Hooks. The likelihood of manipulation of the Hooks registry was high. It is only logical that after several hacks, ERC-777 gained notoriety.

It is ironic that all subsequent token standards after ERC-223 did not gain popularity due to complexity and vulnerabilities. On the contrary, ERC-223 was successfully tested in the Callisto network and the base element of some Defi projects.

At the moment, blockchain is successfully used as a backend for the logic of financial and even entertainment applications. Blockchain benefits from high fault tolerance and 24/7 operation. Naturally, this has led to the complication of the logic of smart contracts and developers are increasingly resorting to the use of event handlers.

Uniswap in the Uniswap v4 protocol, introduced a system of external smart contracts Hooks for working with liquidity pools. An external Hook can be connected: to automate trading by bots independent of external oracles, or to use Uniswap liquidity in third-party Defi projects.

The PureFi protocol has even developed a tool for KYC/AML compliance verification - VerifierHook using Uniswap v4.

PureFi Uniswap v4 Hook: PureFi

Other Uniswap hooks can be viewed on the HookRank dashboard.

The concept of Uniswap v4 Hooks is reminiscent of the failed ERC-777, which means that great care must be taken when developing and using the toolkit.
Uniswap is a trendsetter in DEX construction, it's likely the Uniswap v4 Hooks will be adopted by other developers as a model, just like everything Uniswap has done before. This means that hackers will actively exploit the associated vulnerabilities of this solution. However, there is nothing new in the cat and mouse game between developers and hackers.

Conclusion

In this article the evolution of smart-contracts logic in Solidity language is analyzed by examples, from the developers' desire to solve the security problem (ERC-223) to the most complex logic of trading platform automation (Uniswap v4). But most importantly, one should not forget that in the world of decentralized finance everyone is responsible for their own assets, they themselves are happy with the profit and saddened by the loss. Therefore, it is worth analyzing the software product you intend to use and weighing the risks with a cool head.