DittoETH

Summary

The number of days that an order was stuck inside the system is used as a multiplier for the reward shares. This incentives users who want to take control over the DAO to put orders into the order book which are not helpful for the market and instead stay as long as possible in it so that the reward is multiplied a lot. If some day the order will be executed, the rewards for it could be very high and therefore lead to a malicious user taking over the DAO.

Vulnerability Details

When the orders of users are stuck longer than 14 days inside the order book, they receive a reward in the ditto governance token calculated by the following formula:

As we can see, the number of days that an order was stuck inside the system is used as a multiplier for the reward shares.

This would therefore incentives malicious users to creates orders which will not, or can not, be matched. Like for example, a short order way below the oracle price (as short orders below the oracle price can not be matched). Such orders would not be beneficial for the market at all, but if they are matched some day the multiplier could be such high that the malicious user takes control over the DAO.

Impact

Users can take control over the DAO, or at least try to, by filling the order book with orders which are not helpful for the market. This will in the best case lead to higher gas costs as the order book gets filled up and in the worst case lead to a malicious user taking control over the DAO, which can lead to a lot of negative consequences for the protocol.

Tools Used

Manual Review

Recommendations

Think about different formulas for the reward calculation, or set a maximum multiplier for the current formula to not reward users for spamming the order book.