DittoETH

Summary

When the amount of assets the user intends to sell at a certain price is less than the top bidders ercAmount, the left over value of the top bidders ercAmount is placed back into the order book without checking if the left over ercAmount value in eth is greater than the minimum eth value, thereby allowing assets less than the minimum requirement value into the order book.

Vulnerability Details

if (dustErcAmount || incomingAsk.ercAmount == highestBid.ercAmount) {
  // @note when bid amount matches quantity of highest amount
  matchOrder(s.bids, asset, highestBid.id);
  updateBidOrdersOnMatch(s.bids, asset, highestBid.id, true);
} else {
  // @audit-issue this means it does not check that (highestBid.ercAmount - incomingAsk.ercAmount) * highestBid.price  > minEth
  // before adding it back to OB
  s.bids[asset][highestBid.id].ercAmount =
    highestBid.ercAmount - incomingAsk.ercAmount;
  updateBidOrdersOnMatch(s.bids, asset, highestBid.id, false);
  // @note adds back to the OB table with new amount. 
}

In the else statement block, the highestbid.ercAmount is reduced by the incomingAsk.ercAmount, then included back into the order book. There is no validation in checking that the resultant ercAmount * price > minEth, like insinuated in the documentation of the protocol and also in the CreateBid function like:

if (eth < LibAsset.minBidEth(asset)) revert Errors.OrderUnderMinimumSize();

Which reverts when the value of asset is less than eth minimum value.

Impact

Includes asset value less than the minimum asset Value in Eth into the order book.

Tools Used

Manual

Recommendations

Check that the resultant highestBid.ercAmount * highestBid.price is more than the eth minimum required to enter/remain in the order book.