DittoETH

Summary

The function is subject to overflow, resulting in an endless loop.

Vulnerability Details

The cancelManyOrders function is used to cancel orders if the protocol if the protocol was to be under attack, and a lot of spam orders were to be created. The function is meant to cancel up to 1'000 orders, the variable numOrdersToCancel can be up to 1000. However a uint8 i is used for the loop, which means that i can only be as big as 255. Here lies the core if numOrdersToCancel is set to 256 and up, the i variable will overflow and be set back to 1 after it has reached 255, because of unchecked {++i;}, the unchecked removes the overflow protection. The function will run an infinite loop,
most likely running out of gas.

Impact

Under a spam attack the uint16 variable for the ordersId might be saturated, and nothing is able to go through anymore. A protocol member with the right authority decides to cancel the last 1'000 orders to make room for new order. However because the maximum number of order the code allows to cancel at once is 255, the transaction will fail. Without proper knowledge of this vulnerability the responsible actor for cancelling the order would not know how to proceed further, leaving the protocol under attack.

This vulnerability is classified as a Medium because the funds are not directly at risk and the vulnerability doesn't pose a direct financial threat, the protocol functionality may be disrupted under a spam attack. So while the impact is not severe in terms of financial loss, it's essential to address this issue to maintain the protocol's reliability and performance.

Tools Used

Manual review

Recommendations

for (uint16 i; i < numOrdersToCancel;) {