A bidder can get as much ditto shares as it wants.
Summary
A bidder is allowed to gain as much shares as the life of the contract permits it, since only the bidder can cancel its own bid.
Vulnerability Details
When:
(highestBid.ercAmount > incomingAsk.ercAmount ) && ((highestBid.ercAmount - incomingAsk.ercAmount) * highestBid.price) < minEth(asset)).
The resultant bid gets added back to the order book. The challenge with this now is that no other account can match/close/cancel this order on the protocol. And shares on the system are a factor of time order has spent on the order book before being totally matched.
POC
Bob Creates a malicious contract to add two order entries on the ditto protocol
First Entry (entry A) creates a limit bid
Second entry creates a market ask to fill the limit bid, but in such a way that it leaves entry A(highestBid) like so:
(highestBid.ercAmount > incomingAsk.ercAmount ) && ((highestBid.ercAmount - incomingAsk.ercAmount) * highestBid.price) < minEth(asset)).`Although the entry A will not be eligible for a share when its filled by entry B because it is less than 14 days requirement, but it also means that since no one can now close Bobs limit Bid, (because every market ask must be also greater than minEth value of the asset) that bob can leave the bid on the book as long as he likes and there for accumulates as much shares as possible in respect to the time he finally decides to close the bid.
Impact
A malicious user can accumulate as much shares as it pleases within its desired fixed time and life of contract.
Tools Used
Manual
Recommendations
Don't allow Bid Values less than minEth of its asset.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.