cannotExecute is missing from `checkLog`
Github
https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/external/chainlink/keepers/market-order/MarketOrderKeeper.sol#L102
https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/external/chainlink/interfaces/ILogAutomation.sol#L31-L32
Summary
The checkLog function in the MarketOrderKeeper contract is missing the cannotExecute modifier. This function is intended to be called off-chain by the Chainlink automation framework to determine if upkeep is needed, and it should not be executed directly on-chain.
Impact
Without the cannotExecute modifier:
The function can be called directly on-chain, leading to unnecessary gas usage. While the protocol will be deployed only on Arbitrum so gas will not be a big issue but still
cannotExecuteshould be added as instructed in the Inheritance natspace.It exposes the contract to potential exploits where malicious actors could spam the function.
It breaks the design assumption that the function is only used for off-chain simulations, potentially causing logical inconsistencies.
Recommendation
Add the cannotExecute modifier to the checkLog function to ensure it is only used in its intended off-chain simulation context and cannot be executed directly on-chain.
Lead Judging Commences
`cannotExecute` modifier missing
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.