DittoETH

Summary

A decentralized order book where every transaction is on chain gives validators the opportunity to extract MEV from bidders/sellers on Ditto. A validator could, for example, observe that someone is trying to cancel an order because the price moved against the person who placed the order and slip in a fill on their own behalf in front of the cancel and then sell for an immediate profit if there is an outstanding order on the Ditto order book where they can make an immediate profit. The validator will make profit at a loss to users of Ditto. They can also front run big fills on Ditto that they expect to move the price.

Front running takes advantage of a similar concept except that you don't have to be a validator to do it. Front running bots observe pending transactions in the mem pool and when they see a transaction that they could profit off of if they place their transactions in front of it (often this is a very large order that would move the price), they quickly submit those transactions and then pay much higher gas to ensure their transactions go in front of the target transaction. In the case of Ditto, they could also observe the outstanding orders to see if there is a way to use the mem pool info and the outstanding orders to make a profit at the expense of people using the Ditto platform.

Vulnerability Details

To place or cancel an order, you must call functions in BidOrdersFacet.sol, AskOrders.sol, OrdersFacet.sol, or ShortRecordFacet.sol. These calls must be processed by validators. This gives them the chance to add or reorder transactions. All these calls also become pending transactions in the mem pool where bots can observe them as well.

Impact

People may hesitate to place orders if they regularly experience their orders being filled at a loss to them (or filled before they're able to cancel). This can lead to reduced liquidity on the platform. Liquidity is the lifeblood of an exchange and you're always competing against all the other dapps to attract users and liquidity to your platform.

Tools Used

Manual review

Recommendations

A lot of platforms that run on an order book model provide a small incentive for market makers (ie, people who place limit orders). It is usually like 50 basis points of the amount filled. Having a lot of outstanding liquidity is very important for an exchange or people won't use it. There is currently a reward for short orders or limit bids outstanding for a certain period of time but not for limit asks nor for any orders actually filled.