Lack of Input Validation in the cancel functions
Summary
The contract does not validate the id parameter in the cancel functions
Vulnerability Details
The smart contract currently lacks validation for the 'id' parameter within the cancel functions(cancelBid, cancelAsk, and cancelShort)If an id that does not exist or has already been cancelled is passed, the contract will still execute the function and could potentially alter the state of the contract in an unintended way.
Impact
File Path: 2023-09-ditto/contracts/facets/OrdersFacet.sol
Line: 79
File Path: 2023-09-ditto/contracts/facets/OrdersFacet.sol
Line: 55
File Path: 2023-09-ditto/contracts/facets/OrdersFacet.sol
Line: 29
Tools Used
Manual
Recommendations
To resolve this issue, you should add a validation check for the 'id' parameter at the beginning of each cancel function. This check should ensure that the 'id' exists within the respective mapping and that the order has not already been cancelled. If the 'id' does not exist or the order has already been cancelled, the function should revert with an appropriate error message. Here is an example of how you could implement this for the 'cancelBid' function:
You should add similar checks to the 'cancelAsk' and 'cancelShort' functions. This will prevent the contract from executing these functions with invalid 'id' parameters and ensure that the state of the contract is not altered in an unintended way.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.