DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Sub optimal price execution due to lack of deadline restriction

hash

Vulnerability Details

There is no deadline associated with order creation for all types of orders. Hence an order creation transaction not executed immediately due to reasons like sudden spike in gas cost, could get carried out at significantly different market condition in the future, unless the user explicitly invalidates this transaction. Since shorts only occur at near the oracle price, this issue is less significant for short orders.

function createBid(

address asset,

uint80 price,

uint88 ercAmount,

bool isMarketOrder,

MTypes.OrderHint[] calldata orderHintArray,

uint16[] calldata shortHintArray

)

createBid function

Example Scenario:

Current price of USDC is 0.6

User creates a bid at 0.58 and sends the tx

Due to spike in gas fees, user's tx doesn't get included in blocks for 2hrs

MATIC price drops to 0.5

User doesn't want to go ahead with the bid. To cancel the bid, the user is forced to make a possibly useless transaction with a high gas price.

Impact

The user might have to spend and monitor more in cancelling the order than getting cancelled with the deadline check
The user could end up conceding a bad trade.

Tools Used

Manual Review

Recommendations

Add a deadline parameter for createBid and createAsk functions.

diff --git a/contracts/facets/BidOrdersFacet.sol b/contracts/facets/BidOrdersFacet.sol

index 1f5edab..b54168a 100644

--- a/contracts/facets/BidOrdersFacet.sol

+++ b/contracts/facets/BidOrdersFacet.sol

@@ -42,7 +42,8 @@ contract BidOrdersFacet is Modifiers {

uint88 ercAmount,

bool isMarketOrder,

MTypes.OrderHint[] calldata orderHintArray,

- uint16[] calldata shortHintArray

+ uint16[] calldata shortHintArray,

+ uint deadline

)

external

isNotFrozen(asset)

@@ -50,6 +51,7 @@ contract BidOrdersFacet is Modifiers {

nonReentrant

returns (uint88 ethFilled, uint88 ercAmountLeft)

{

+ require(block.timestamp<=deadline,"Expired");

// Update oracle and starting short if last updated more than 1 hour ago

LibOrders.updateOracleAndStartingShortViaTimeBidOnly(

asset, OF.OneHour, shortHintArray

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.