Questions amid recent situation --> Serum - FTX hack - Bonfida

[mihneacalugaru]

I am posting this issue to serve more as a discussion platform after the recent situation involving the presumed FTX hack and its effects on Serum DEX.

From my understanding, a summary of what (people think) happened sound like this:

FTX backed the original Project Serum. Also, FTX was holding the private key of the Update Authority of Serum DEX program. With FTX being hacked, Serum's update private key is thought to be compromised, which in turn made a lot of exchanges, wallets, and others to stop using Serum. Volume decreased by 80-90% day by day since the beginning of the weekend. In order to remove any fears of Serum being linked to the FTX Group, developers started working on a fork.

Anyway, correct me if I'm wrong, please.

How will this affect Bonfida's Serum DEX v4 that will be on mainnet at some point?

Hopefully, this thread will clarify fears and questions.

[ellttBen]

Hi @mihneacalugaru, thanks for raising this important issue. The first thing to say is that Bonfida is not affiliated with Serum or FTX. However, we have ownership over the dex-v4 (and AAOB) code and we will continue to maintain it. The code also remains open source and free to use / fork, and has been audited by Ottersec. We have never deployed the program to mainnet ourselves. In terms of security, no one outside Bonfida has write access to this repo, so there should be no concern there.

[mihneacalugaru]

Thanks for clarifying @ellttBen, that's great to hear.

So, is there any timeline on deploying the v4 on the mainnet or is it still unknown? Also, when that will happen, will any liquidity from v3 be migrated to v4?

[ellttBen]

Considering the situation, we think the program should be deployed by a DAO, and we would be keen to help out and participate. However there are no concrete plans right now. In terms of liquidity, we don't have and never had MM activities on Serum and don't really know what other MMs would want to do.

[mihneacalugaru]

Okay, so, if I understood correctly, Bonfida implemented Serum DEX v4 will be deployed if and when a DAO will be formed and willing to deploy it so that there will be a multisig procedure through which the program will be upgraded, in order not to end up like we did. Is that correct?

[ellttBen]

That's pretty much it yes

[mralbertchen]

hi @ellttBen this conversation makes it sound like v4 never got deployed to mainnet but FTX deployed v4 to mainnet back in July (https://explorer.solana.com/address/Fw2n4Hq2CKbbC9J1HZ3couDiKVBhUE9f1c7uads9hsGy). The main use of this had been for SFT trading. As this program shares the same upgrade authority with v3, I believe we should fork this the same way OpenBook community forked v3. I am happy to lead this effort and create a DAO involving the parties that have been using this program. Are you able to tell me which commit was deployed to this program?

[dr497]

We are not aware of which commit was deployed. If I am correct this is the last commit reviewed by Ottersec a41a9420d2d09c8642fd37b4412777a08f9bd3c8

[mralbertchen]

Thanks that is extremely helpful @dr497

[mihneacalugaru]

So, @mralbertchen, you did deploy the commit @dr497 mentioned at the following address: srmv4uTCPF81hWDaPyEN2mLZ8XbvzuEM6LsAxR8NpjU, also creating a DAO and setting it as the sweep authority, right?

[ellttBen]

Hi again, First of all we'd like to thank everyone for their involvement in rebooting the Serum dex as fast as possible with more decentralization. However, we want to avoid excessive forking which would dilute our ability to quickly deploy potential security updates if they become necessary. This repo was entirely developed by us at Bonfida, and we're still here and committed to the future of the technology itself. Any change that needs to be made to the protocol in order to facilitate a DAO deployment should be submitted as an issue on this repo, and we'll get to work. Once a DAO is ready, we can deploy an Anchor verified build and set the upgrade authority to be controlled by it.

[mralbertchen]

@mihneacalugaru that is correct. The upgrade authority will be changed to the DAO once Apr.Dev is fixed.

The DAO has been created here: https://app.realms.today/dao/Bmif6ABDLNA2X2R2odRoAQEpcBVnAWaxJhSSPJsHQpY7

Please provide addresses and I will invite you to the DAO.

I can also create a pull request with the changes made.

[dr497]

@mralbertchen What changes have you made? What is the exact code that will be deployed?

[mralbertchen]

Just updated the program id and changed the sweep authority to the DAO address. Then modified Anchor.toml for anchor verifiable build to work.

You can see the commit here. https://github.com/Genopets/dex-v4/commit/d50898e660cfa73b0737d21a3e54af932ffa98d7

I’m waiting for https://apr.dev to be fixed for the program source code to be verified on-chain.