Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Attacker can grief the `MarketOrderKeeper` by making `fillMarketOrder` revert by withdrawing collateral after making an order

spearmint

Attacker can grief the MarketOrderKeeper by making fillMarketOrder revert by withdrawing collateral after making an order

Vulnerability Details

It is possible to create an on chain market order and then perform actions to ensure that when the keeper calls fillMarketOrder it will revert

Here is how attacker can force fillMarketOrder to revert after creating a market order via createMarketOrder

  1. Immediately withdraw all collateral after making an order, this will revert because of this check in _fillOrder

The protocol clearly does not intend to have these scenarios involving creating an order then making it instantly unfillable. Proof is from cancelMarketOrder in OrderBranch.sol

function cancelMarketOrder(uint128 tradingAccountId) external {
...
// reverts if a trader has a pending order and that pending order hasn't
// existed for the minimum order lifetime; pending orders can't be cancelled
// until they have existed for the minimum order lifetime
marketOrder.checkPendingOrder();
...
...

Impact

keeper loses funds

User can create an unfillable order

User can effectively cancel an order before the minimum order lifetime

Tools Used

Manual Review

Recommendations

Do not allow removing collateral when there is an active order

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

The Keeper can be griefed by a user who withdraw's the collateral when having a pending position

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!