Summary

The contract does not validate the id parameter in the cancel functions

Vulnerability Details

The smart contract currently lacks validation for the 'id' parameter within the cancel functions(cancelBid, cancelAsk, and cancelShort)If an id that does not exist or has already been cancelled is passed, the contract will still execute the function and could potentially alter the state of the contract in an unintended way.

Impact

File Path: 2023-09-ditto/contracts/facets/OrdersFacet.sol
Line: 79

File Path: 2023-09-ditto/contracts/facets/OrdersFacet.sol
Line: 55

File Path: 2023-09-ditto/contracts/facets/OrdersFacet.sol
Line: 29

Tools Used

Manual

Recommendations

To resolve this issue, you should add a validation check for the 'id' parameter at the beginning of each cancel function. This check should ensure that the 'id' exists within the respective mapping and that the order has not already been cancelled. If the 'id' does not exist or the order has already been cancelled, the function should revert with an appropriate error message. Here is an example of how you could implement this for the 'cancelBid' function:

You should add similar checks to the 'cancelAsk' and 'cancelShort' functions. This will prevent the contract from executing these functions with invalid 'id' parameters and ensure that the state of the contract is not altered in an unintended way.