Market orders are missing a deadline
Summary
Users can have orders filled at unfavorable prices if the sequencer goes offline due to missing deadlines in market orders.
Vulnerability Details
Market orders don't have a deadline, which is fine under normal conditions: they can't be front-run based on mempool information since Arbitrum does not have one and the sequencer is working so the user can just call cancelMarketOrder to prevent the market order to be filled.
But the problem with this implementation is the sequencer is not 100% reliable, meaning that a users could place an order at a given hour and still have the order pending at a later date without being able to cancel if the sequencer goes offline. The keeper could fill the user order before the user tentative to cancel go through when the sequencer gets back online.
Example:
Alice places a long position.
The sequencer has an issue and goes offline.
Alice cannot cancel the order when the sequencer is offline.
An hour later, market conditions change and the sequencer comes back online.
The keeper bot fills the order.
Alice tries to cancel the order but fails as it already got filled.
If Alice had a deadline set on her market order it would have prevented her order to be filled.
Impact
Users can have orders filled at unfavorable prices if the sequencer goes offline.
Tool used
Manual Review.
Recommendations
I recommend adding and checking a deadline for market orders.
Lead Judging Commences
fillMarketOrder lacks slippage protection
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.