Dust Order Creation Allows for Orderbook Clutter and Misleading Market Activity
Summary
A potential vulnerability exists within the _createBid() function which allows users to create dust by setting a very low ETH price but compensating with a high amount of the asset ERC. This could effectively meet the minimum ETH required for the order but still create clutter in the Orderbook.
Vulnerability Details
Within the _createBid() function, the minimum ETH required for an order is calculated by multiplying ercAmount by price. While this does ensure that the minimum ETH requirement is met, it does not prevent the creation of dust. Specifically, a user could set a very low ETH price but use a high ercAmount to meet the minimum ETH requirement.
By not setting a minimum limit on the price or the ercAmount, the function allows for scenarios where the total value in ETH may be sufficiently high, but the individual price is impractically low.
Impact
Orderbook Clutter: Over time, with enough of such dust bids, the Orderbook could become cluttered, making it inefficient and potentially increasing gas costs.
Misleading Orders: These dust orders could mislead users by artificially inflating the volume or creating a false sense of market activity.
Operational Overhead: These dust orders might increase the operational overhead for nodes processing transactions, which could slow down the network slightly.
Tools Used
Manual code review.
Recommendations
Set Minimum Limits: Implement a minimum limit for both
priceandercAmount. This can prevent the creation of dust while still allowing flexibility in order placement.Clean-Up Mechanism: Implement a mechanism to periodically clear out dust orders from the Orderbook.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.