DittoETH

Summary

see the vulnerability details it's explain all

Vulnerability Details

the the contract checks if the ercEscrowed balance of the msg.sender is less than ercAmount. If this condition is met, the contract reverts with the Errors.InsufficientERCEscrowed() error.
so An attacker monitoring the Ethereum mempool can observe a user trying to create an ask order and determine the ercEscrowed balance they intend to use. If the attacker can execute a transaction faster than the user, they can manipulate their own ercEscrowed balance to be just slightly greater than the user's intended amount. This cause the to user's transaction to revert, while the attacker's transaction gets accepted, allowing them to place an order with the victim's funds.
here is a scenario can serve as poc show the vulnerability:

• user,let's call it Alice, intends to create an ask order with a significant amount of ERC tokens, and her ercEscrowed balance is well above this amount.

• An attacker,let's call it Bob, closely monitors the Ethereum mempool and detects Alice's transaction before it gets confirmed.

• Bob quickly crafts a transaction that manipulates his ercEscrowed balance to be slightly higher than Alice's intended amount.

• Bob's transaction gets mined before Alice's, and Alice's transaction reverts due to the insufficient balance check.

• Bob's transaction is successful, and he places an order with Alice's funds, effectively draining her account.

Impact

an attacker can exploit this and lead to drain funds from legitimate users by tricking the contract into accepting orders with insufficient escrowed balances.

Tools Used

manual review

Recommendations

• here's an example can fix the issue :

• Add a mapping to track the escrowed ERC balances of users.
  mapping(address => mapping(address => uint88)) public userEscrowedBalances;

• Update the user's escrowed balance after the trade
  userEscrowedBalances[asset][msg.sender] -= ercAmount;