DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of functionality to withdraw dust from contract can result in trapped funds

toshii

Summary

The logic of this protocol will cancel orders which only have a dust amount of erc remaining. However, this dust amount is never accounted for, and if/when it builds up across a large volume of orders, there is no accounting for this amount of tokens which should be eventually withdrawable, and also lack of any functionality to withdraw these funds.

Vulnerability Details

The LibOrders:sellMatchAlgo contains logic for cancelling orders which only have a dust amount of erc tokens left. This can be seen in the following code snippet:

bool dustErcAmount = (highestBid.ercAmount - incomingAsk.ercAmount)
.mul(highestBid.price) == 0;
if (dustErcAmount || incomingAsk.ercAmount == highestBid.ercAmount) {
matchOrder(s.bids, asset, highestBid.id);
updateBidOrdersOnMatch(s.bids, asset, highestBid.id, true);
} ...

The order is completely filled, and the dustErcAmount is never recorded anywhere. This effectively prevents (along with the lack of functionality) withdrawing this amount as it accumulates over time.

Impact

Lack of accounting of/logic for withdrawing dust amount of erc tokens can lead to loss of these funds, as they might build up to a large amount over time.

Tools Used

Manual review

Recommendations

Increment a state variable by the amount of dustErcAmount which is not used from an order, and add a function to withdraw this.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.