Summary

OrdersFacet.cancelOrderFarFromOracle doesn't handle partially filled order

Vulnerability Details

It's possible that short order is filled partially. In this case, id of created short position is set as shortRecordId field into short order. So in case if order will be executed again, then it will be filled with additional amount.

In case if user has short position that is partially filled and he would like to exit this position, then short record will be deleted. Usually, canceled short record id will be marked as canceled, which will allow to reuse it later, but in case if position is filled partially, then this will not be done. This is needed to allow next fill.

So now i am ready to explain the problem. When OrdersFacet.cancelShort is called, then described situation is handled, which means that it will mark it as fully filled or remove, which will allow reusing of the record id in future.

But OrdersFacet.cancelOrderFarFromOracle function doesn't do that, it just cancels orders and do not mark related record id as fully filled or removes it.

Impact

It will be not possible to reuse that short record id in future.

Tools Used

VsCode

Recommendations

Handle it in same way as in OrdersFacet.cancelShort function.