DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`sellMatchAlgo` can return without doing any operations

pyro

Summary

sellMatchAlgo can return empty without doing any operations which may confuse the front-end or users.

Vulnerability Details

There is a certain path from which sellMatchAlgo will return without doing anything, not emitting an event even. This happens when incomingAsk.price > highestBidInitial.price and incomingAsk.ercAmount.mul(incomingAsk.price) > minAskEth.

function sellMatchAlgo(...) internal {
AppStorage storage s = appStorage();
uint16 startingId = s.bids[asset][Constants.HEAD].nextId;
STypes.Order storage highestBidInitial = s.bids[asset][startingId];
if (incomingAsk.price > highestBidInitial.price) {
if (incomingAsk.ercAmount.mul(incomingAsk.price) >= minAskEth) {
addSellOrder(incomingAsk, asset, orderHintArray);
}
return;
}

A plausible scenario is the price to change just before the TX, this will make incomingAsk.price > highestBidInitial.price true and it will enter the if statement. From there on if the amount is too little it will revert without emitting an event.

Impact

Function returns without doing anything.

Tools Used

Manual review.

Recommendations

Emit an event at least.

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.