DoS in Offchain Order Processing
Summary
In SettlementBranch, the function fillOffchainOrders handling offchain orders contains a vulnerability where users can grief other users by signing the same order multiple times or signing invalid orders and sending it to keeper. This can cause a denial of service (DoS) by preventing valid orders from being processed.
Vulnerability Details
The code relies on a unique salt to prevent order replay. However, users can sign the same order multiple times with the same salt. When keeper calls fillOffchainOrders with same order signed by users, it will be filled once but revert second time. Due to this, the function fillOffchainOrderswill revert resulting in not processing of other users.
There are many scenarios where _fillOrderreverts and it's being called by fillOffchainOrders. If any one order is invalid, it will cause the whole transaction to revert.
Example Scenario
User A creates an order and signs it with a specific
saltor signs some order which is going to be reverted.User A, sends the order to the keeper.
When keeper calls
fillOffchainOrdersalong with orders of other users, the function will revert.
Impact
Causes denial of service in fillOffchainOrders.
Tools Used
Manual review
Recommendations
Instead of reverting for invalid orders, the function should return so that other orders can be processed.
Lead Judging Commences
fillOffchainOrders reverts everything if a single order fails one of the multiple checks
If you send 1 cancel and 1 create it should still run the cancel, not revert everything.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.