Summary

The createSellOrder function does not restrict the number of orders a user can create, enabling malicious actors to spam the contract with unlimited or dust-value orders, leading to storage bloat and potential denial of service.

Vulnerability details

There are no checks or limits on how many orders a single user can create. Attackers can exploit this by creating a large number of orders, including those with minimal ("dust") amounts. This can fill up the contract's storage, increase gas costs for all users, and potentially make the contract unusable or expensive to interact with. Additionally, dust orders can clutter the order book, making it harder for legitimate users and off-chain indexers to process relevant orders.

Impact

• Storage Bloat: Unlimited orders increase storage usage, raising gas costs for all users.

• Denial of Service: Excessive orders can make the contract slow or expensive to interact with, potentially leading to DoS.

• Order Book Pollution: Dust orders clutter the order book, reducing usability and efficiency for traders and indexers.

Proof of concept (PoC)

1. An attacker writes a script to call createSellOrder in a loop, creating thousands of orders with minimal amounts.

2. The contract's storage grows rapidly, increasing gas costs and making it harder for users to find legitimate orders.

3. Off-chain indexers and UIs are overwhelmed by the volume of irrelevant orders.

Recommended Mitigation

• Implement per-user order limits: Restrict the number of active orders each user can have at any time.

• Set a minimum order size: Require _amountToSell and _priceInUSDC to be above a reasonable threshold to prevent dust orders.

• Consider order creation fees: Introduce a small fee for creating orders to discourage spam.

• Add admin controls: Allow the contract owner to pause order creation or blacklist abusive addresses if necessary.