Bidder can collect Shares multiple times
Summary
Bidding account is accredited ditto shares as many times as matched a single order.
Vulnerability Details
When highestBidder.ercAmount > incomingAsk.ercAmount, the resultant order (highestBidder.ercAmount - incomingAsk.ercAmount) is is re-added back to the order book, for another match by the protocol. The challenge with this is that ditto shares is already assigned to the bid entry at #L64 , and the shares is calculated like so:
uint32 timeTillMatch = getOffsetTime() - order.creationTime;
Which means the shares is calculated with reference from when the bid was first created. This means that every time an ask order is matched to a bid and the highestBider.ercAmount > ask.ercAmount , it adds it back the order book which qualifies the bidder yet again for more ditto shares with reference from order.creationTime .
Impact
A bidder gets more share than it is meant to.
Tools Used
Manual
Recommendations
The highest bidder is meant to get ditto shares when its order has been matched and closed, not every time it is matched, even if it is meant to get shares every time it is matched the subsequent matches are meant to calculate the new shares referencing the last time it was matched, not creation time.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.