Multiple ways to grief the `OffchainOrdersKeeper` by making `fillOffchainOrders` revert, also delay honest user's orders
Vulnerability Details
There are multiple ways to create an offChainOrder to ensure that when the keeper calls fillOffchainOrders it will revert
Here are some of the ways, there are a lot more but are not relevant because they all have the same fix
Pass a 0
sizeDelta, will revert herepass a non-existent account, will revert here
transferring the accountNFT to an alt, will revert here
This is an issue for 2 reasons:
The keeper's Tx reverts, so they have been griefed
fillOffchainOrderstakes in a list ofoffchainOrders, if just one of them reverts then all the other orders will not fill. Therefore an attacker can easily spam reverting orders to delay honest user's orders from filling
When an incompatible off chain order is processed it should skip filling it and move on to the next order in the array rather than reverting the whole tx
Impact
keeper loses funds
The other users that would have been filled are having their orders delayed because of one attacker
Tools Used
Manual Review
Recommendations
wrap each iteration of the loop in a try catch block, so that if one reverts it moves on to the next
Or use continue instead of revert
Lead Judging Commences
fillOffchainOrders reverts everything if a single order fails one of the multiple checks
If you send 1 cancel and 1 create it should still run the cancel, not revert everything.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.