Submission Details
Impact:
Likelihood:
Missing Access Control for Order Amendment by Non-Owners
Root + Impact
Description
-
Only the order creator should be able to amend their orders
-
The contract correctly checks
order.seller != msg.senderbut this check could be bypassed if seller address is compromised or if there are issues with address validation
function amendSellOrder(
uint256 _orderId,
uint256 _newAmountToSell,
uint256 _newPriceInUSDC,
uint256 _newDeadlineDuration
) public {
Order storage order = orders[_orderId];
// @> This check is present but could be strengthened
if (order.seller != msg.sender) revert NotOrderSeller();
// ... rest of function
}
Risk
Likelihood:
-
Low- Depends on external factors like address compromise
-
Current validation is basic but functional
Impact:
-
Medium - Unauthorized modification of orders could lead to significant financial loss
-
Could manipulate prices or amounts maliciously
Proof of Concept
// If seller private key is compromised, attacker could amend orders
// No additional security measures beyond basic address check
Recommended Mitigation
+ // Consider adding additional security measures like:
+ // - Time delays for amendments
+ // - Multi-signature requirements for large orders
+ // - Nonce-based validation
Rewards breakdown
nSLOC
217This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.