Potential Reentrancy Vulnerability in createMarketOrder function
Summary
The createMarketOrder function interacts with multiple external storage slots and external contracts. However, there is no explicit reentrancy protection in place, making it possible for an attacker to exploit reentrant calls to manipulate the state variables before execution completes.
Vulnerability Details (PoC)
Attackers owns a trading account (
tradingAccountId) with some collateral.Attacker deploys a malicious contract that interacts with the
createMarketOrderfunction.The function fetches
marginBalanceUsdX18before updating it.The malicious contract executes a reentrant callback inside a vulnerable callback inside a vulnerable function call.
Impact
A malicious contract could execute a reentrant call before critical state updates occur, allowing double spending bypassing margin checks, or manipulating pending orders
This could lead to incorrect account balances, improper order execution, and market manipulation.
Since this function involves margin validation, open interest limits, and pending orders, an attacker might be able to place multiple orders with insufficient margin by exploiting reentrant execution.
Tools Used
Manual Review and test
Recommendations
Use the nonReentrant Modifier (if using openZeppelin's ReentrancyGuard)
Validate order state again before final execution.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.