DittoETH

Summary

Collateral is not returned to the creator of an order when it is cancelled with cancelOrderFarFromOracle.

Vulnerability Details

According to the documentation, the purpose of the cancelOrderFarFromOracle function in OrdersFacet.sol is to prevent attacks of spamming the orderbook with orders. This function allows any user to cancel the last order in the orderbook, and the DAO to cancel the last 1,000 orders, when the total number of orders hits the 65,000 limit.

The issue here is that when an order is cancelled, the amount of ETH or ERC20 collateral deposited by the creator of the order is not returned to them. It is not clear whether this is intentional or not, but it can suppose a significant loss of funds for the creator of the order.

As the orders in the orderbook are sorted by price and not by time of creation, spammers can create new orders that are positioned at the middle of the orderbook, leaving the good actors getting their orders cancelled and losing their collateral. Also, due to frontrunning, good actors cannot make sure of the total number of orders and the position of their new order at the moment of settlement.

Impact

Users will lose their collateral when their orders are cancelled, which can be forced by spammers.

Tools Used

Manual inspection.

Recommendations

Handle the return of the collateral to the creator of the order the same way as it is done in cancelBid, cancelAsk and cancelShort.