Cancelled Orders Are Not Deleted from Storage
Summary
The cancelSellOrder function marks cancelled orders as inactive but does not remove their data from the orders mapping, leaving stale order data in contract storage.
Vulnerability details
When a user cancels a sell order, the function only sets order.isActive = false and returns the tokens to the seller. The order struct remains in the orders mapping, occupying storage. Over time, this can lead to unnecessary storage bloat, increased gas costs for future interactions, and potential confusion for off-chain indexers or UIs that do not filter out inactive orders.
Impact
-
Storage Bloat: Accumulation of cancelled (inactive) orders increases contract storage usage, raising the cost of future transactions and potentially making the contract more expensive to interact with.
-
Indexing/UI Issues: Off-chain systems may need to filter out inactive orders, increasing complexity and risk of errors.
-
No Refund of Storage Costs: Sellers do not receive any gas refunds for freeing up storage, which is possible if the order struct is deleted.
Proof of Concept
User creates multiple sell orders.
User cancels each order.
The
ordersmapping still contains all cancelled order structs, withisActive = false.Storage usage increases linearly with the number of cancelled orders.
Recommended Mitigation
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.