Splidge
commented
3 years ago An easy way to find out if the bid exists is to check if the index is non-zero, that's what's done here. However there still exists the possibility that the bid is in the first position of the array, index zero. The bid in index zero could be for any market and any card. We need to check IF the bid in position zero matches the same market AND card, if it does then the bid does exist (it just happens to be in the zero index position and would have been ignored by the earlier check).
0xean
Handle
0xImpostor
Vulnerability details
Impact
It is not clear in the
bidExists()function inRCOrderbook.solwhy there is a need to check that the user's first bid corresponds to the market and card.Tools Used
Manual analysis
Recommended Mitigation Steps
Remove https://github.com/code-423n4/2021-08-realitycards/blob/main/contracts/RCOrderbook.sol#L837-L841