DittoETH

Summary

Malicious trader can intentionally obtain dittoMatchedShares by creating a bid order using a low price that nobody will ask, then wait for more than 14 days and the same malicious trader create an ask order using the same bid's low price causing the increase of dittoMatchedShares.

Vulnerability Details

Malicious trader can create a bid order using the BidOrdersFacet::createBid() function at very low price, then the same malicious trader can wait some days until the minumum required in order to get dittoMatchedShares and set a ask order using the bid's low price. Please consider the next scenario:

1. Malicious trader creates the bid order for the assetX using the price: 10 (low price compared to the current 100 price) and ercAmount 10. The low price is because nobody wants to sell at that price so the order can stay there without be matched.

2. The bid order will be submitted to the order book because there are not asks/sells to fill at that price.

3. Malicious trader waits for more than 14 days. Additionally the malicious trader needs to wait until there are not asks/sells in the order book.

4. Once the step 3 is ok, the Malicious trader creates the ask order at price 10 and ercAmount10 (the bid's order price from step 1). The order is matched with the bid order from the step 1 and dittoMatchedShares are assigned to the malicious trader.

It is a very edge case because the malicious trader needs an empty ask/sells orderbook so he can put his own ask order at the malicious bid order price but in conditions where the asset is not very trader the malicious actor can benefit from this.

Impact

Malicious actor can intentionally obtain dittoMatchedShares using bid/asks orders that he intentionally crafts. The bid/ask orders are created by the same malicious actor, so he won't lose assets.

Tools used

Manual review

Recommendations

Verify that the address from the bid order is not the same address who is creating the ask order.