This article was first published on Stories by MakerDAO on Medium
On Friday the 8th of February, at 5pm UTC the Oasis team initiated a contract migration process on eth2dai.com due a vulnerability found in the old contract. As part of the upgrade process, users were asked to cancel resting orders on the old contract and migrate to a new contract. The migration process was completed on Saturday, the 9th of February at 5pm UTC. In an abundance of caution and with the intention of prioritizing user security, we provided limited detail at the time.
This article provides additional detail about the vulnerability and describes briefly how the new Oasis contract matching engine works.
Oasis smart contract internals
The Oasis smart contract (internally called MatchingMarket) maintains an on-chain order book, which matches orders and settles trades.
Oasis uses a fully-decentralised, on-chain architecture. It is a non-custodial marketplace which provides transparent, auditable, and a fully autonomous matching engine.
The contract internally maintains a list of orders sorted by price. This structure makes order matching easy as long as there are orders to match. Adding a new order is also straightforward — the contract method goes through the order list until it finds the correct position to add a new order. This guarantees that the order book is sorted.
If the matching engine is used (through the offer() function), it will always try to fill the order from the top of the order book. However, it is also possible to fill a specific order (through the buy() function) by providing an order ID as a parameter ( this is called “order cherry picking”).
It is important to note that the Oasis contract doesn’t check if the order book is correctly sorted by price after an order is partially filled. It simply assumes that the price of whatever is left of any partially filled order doesn’t change.
To keep reading, please go to the original article at:
Stories by MakerDAO on Medium