OrderBook

First Flight #43
Beginner FriendlySolidity
100 EXP
Submission Details
Impact: high
Likelihood: high
Invalid

DDOS attack base on _nextOrderId value can be set MAX by attacker lead to other customers can't create a new sell_order

Author Revealed upon completion

DDOS attack base on _nextOrderId value can be set MAX by attacker lead to other customers can't create a new sell_order

Description

  • The _nextOrderId was set uint256 sizes,can be controlled the by seller when they try to create a new sell order,but the source codes didn't check the value of _nextOrderId,so when the value was added to 2^256 - 1, the value of _nextOrderId will overflow,but on Solidity ^0.8.0 will prevent overflow from happening and stop the code from running by throwing an exception that createSellOrder function will not running successful forever.

    uint256 orderId = _nextOrderId++;

  • Other bug is the nextOrderId++ was running before transfer that attacker can maliciously accumulate _nextOrderId values ​​through unsuccessful transactions to make DDOS attacks more rapid.

    uint256 orderId = _nextOrderId++;
    IERC20(_tokenToSell).safeTransferFrom(msg.sender, address(this), _amountToSell);

Impact:

  • DDOS attack

Proof of Concept


Recommended Mitigation

- uint256 orderId = _nextOrderId++;
- IERC20(_tokenToSell).safeTransferFrom(msg.sender, address(this), _amountToSell);
+ uint256[] private transactionCounts;
+ uint256 private currentIndex;
+ constructor() {
+ transactionCounts.push(0);
+ currentIndex = 0;
+ }
+ function createSellOrder(.....) public returns (uint256) {
+ if (transactionCounts[currentIndex] == type(uint256).max) {
+ if (currentIndex + 1 == transactionCounts.length) {
+ transactionCounts.push(0);
+ }
+ currentIndex++;
+ }
+ IERC20(_tokenToSell).safeTransferFrom(msg.sender, address(this), _amountToSell);
+ transactionCounts[currentIndex]++;
+ }
Updates

Lead Judging Commences

yeahchibyke Lead Judge about 5 hours ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.