Market pause (via marketPaused boolean) only pauses acceptTrade() function but should also pause cancelling of offers unless it's a specified failsafe to allow cancellation of offers if/when protocol has been exploited somehow.
This will otherwise allow cancellation of outstanding offers while the market is paused for trades.
Apply market pause to cancelOffer() as well or specify that this is intentional by design to allow makers to cancel offers during market pause as an emergency failsafe.
Handle
0xRajeev
Vulnerability details
Impact
Market pause (via marketPaused boolean) only pauses acceptTrade() function but should also pause cancelling of offers unless it's a specified failsafe to allow cancellation of offers if/when protocol has been exploited somehow.
This will otherwise allow cancellation of outstanding offers while the market is paused for trades.
Proof of Concept
https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L611-L617
https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L619-L620
https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L230-L233
Tools Used
Manual Analysis
Recommended Mitigation Steps
Apply market pause to cancelOffer() as well or specify that this is intentional by design to allow makers to cancel offers during market pause as an emergency failsafe.