Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Orders has no expiration to be filled

Reentrants

Summary

There is no way for the users to add an expiration time for their orders. Meaning that they are susceptible to have their orders included when the market conditions are not favorable for them anymore.

Synthetix also had the same issue in the past and added an order expiration, so users can be prevented to suffer loss due to having their order activated/filled when the market conditions are not the same/favorable as when the order was created.

https://github.com/Synthetixio/synthetix-v3/blob/8aff01938913983b97faa5ce082c15b86db32e0d/markets/perps-market/contracts/storage/AsyncOrder.sol#L167-L179

Snippet code from Synthetix:

function expired(
Data storage self,
SettlementStrategy.Data storage settlementStrategy
) internal view returns (bool) {
uint256 settlementExpiration = self.commitmentTime +
settlementStrategy.settlementDelay +
settlementStrategy.settlementWindowDuration;
return block.timestamp > settlementExpiration;
}

When filling an order Zaros doesn't check for how long the order has been available. Thus, user can have his order included at any time in the future. This shouldn't happen, user should have an expire time set for his order to be filled.

Impact

Loss of Funds: The user can lose his funds due to the order being filled when the market conditions are not favorable.

Unfairness: Users cannot set an expiration time for the inclusion of their orders

Tools Used

Manual Review & Synthetix past audits

Recommendations

Include an expiration time for orders to be filled. If this time has passed, orders should become invalid and not filled.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

fillMarketOrder lacks slippage protection

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.