DOS of fillOffchainOrders Through Nonce Increase
Summary
By canceling an order and increasing account nonce, a malicious user can DOS batch fulfilment of fillOffChainOrders.
Vulnerability Detail
Keepers call fillOffchainOrders() to batch fill offchain orders. However, the entire transaction reverts if a particular order's nonce is != account nonce.
A malicious user can commit an order, then immediately make a call to cancelAllOffchainOrders which increases his account's nonce, preventing all orders from being filled.
Impact
Permanent DOS of fillOffChainOrders, which disrupts a key functionality of submiting orders offchain which allow for added functionality like setting limit orders. This can be performed repeatedly and at no cost to to malicious trader. Other traders' orders are not filled or delayed, resulting in loss of potential profits and poor experience on Zaros. Keepers also waste gas in the attempts to fill the orders.
Code Snippet
https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/SettlementBranch.sol#L237
Tool used
Manual Review
Recommendation
To prevent DOS, use continue instead of revert if the nonces do not match. This is similar to here(https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/SettlementBranch.sol#L291) if the fillPrice is invalid.
Lead Judging Commences
fillOffchainOrders reverts everything if a single order fails one of the multiple checks
If you send 1 cancel and 1 create it should still run the cancel, not revert everything.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.