Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Orbiting Rosewood Swallow - Malicious users can createOrder with 0 amount and make DOS for all #731

Open
sherlock-admin2 opened this issue Dec 9, 2024 · 1 comment
Open

Orbiting Rosewood Swallow - Malicious users can createOrder with 0 amount and make DOS for all #731

sherlock-admin2 opened this issue Dec 9, 2024 · 1 comment
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link

Orbiting Rosewood Swallow

High

Malicious users can createOrder with 0 amount and make DOS for all

Summary

Malicious users can createOrder with 0 amount and can cause DOS / block users to fillOrder, cancleOrder

Impact

Malicious users will create huge numbers of orders with 0 amountIn.

Now if anyone wants to fillOrder or cancleOrder they can not do it because:

  • Due to the block gas limit, there is a clear limitation in the amount of operation that can be handled in an Array.
  • ArrayMutation::removeFromArray is called on fillOrder, cancleOrder functions.
  • Now because the malicious users have created a huge amount of orders with 0 amount,
  • When normal users go to fillOrder or cancleOrder they simply run out of gas while iterating a huge array of pendingOrderIds.
  • This makes them and every one impossible to do any further action on fillOrder, cancleOrder

PoC

OracleLess::createOrder

    function createOrder(
        IERC20 tokenIn,
        IERC20 tokenOut,
        uint256 amountIn,
        uint256 minAmountOut,
        address recipient,
        uint16 feeBips,
        bool permit,
        bytes calldata permitPayload
    ) external override returns (uint96 orderId) {
        //procure tokens
        procureTokens(tokenIn, amountIn, recipient, permit, permitPayload);

        //construct and store order
        orderId = MASTER.generateOrderId(recipient);
        orders[orderId] = Order({
            orderId: orderId,
            tokenIn: tokenIn,
            tokenOut: tokenOut,
            amountIn: amountIn,
            minAmountOut: minAmountOut,
            recipient: recipient,
            feeBips: feeBips
        });

        //store pending order
        pendingOrderIds.push(orderId);

        emit OrderCreated(orderId);
    }

Mitigation

We can add checks for the createOrder function something like this

require(amountIn > 0, "amount should be greater than 0")

Or can add code like the other Contracts

MASTER.checkMinOrderSize(tokenIn, amountIn);
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Dec 17, 2024
@sherlock-admin2
Copy link
Author

The protocol team fixed this issue in the following PRs/commits:
gfx-labs/oku-custom-order-types#1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3