c4-sponsor
commented
1 year ago tbrent marked the issue as sponsor confirmed
Open code423n4 opened 1 year ago
c4-sponsor
commented
1 year ago tbrent marked the issue as sponsor confirmed
c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
liveactionllama
commented
1 year ago Per discussion with the judge @0xean, this is a new/unique finding. Adding the selected for report label for awarding and reporting purposes.
pmckelvy1
commented
10 months ago fixed: only rebalancing trades can disable dutch trades in this manner https://github.com/reserve-protocol/protocol/blob/master/contracts/p1/Broker.sol#L142
Lines of code
https://github.com/reserve-protocol/protocol/blob/99d9db72e04db29f8e80e50a78b16a0b475d79f3/contracts/plugins/trading/DutchTrade.sol#L212-L214
Vulnerability details
Dutch trade now creates a report violation whenever the price is x1.5 then the best price. The issue is that the attacker can fake a report violation by buying with the higher price. Since revenue traders don't have a minimum trade amount that can cost the attacker near zero funds.
Mitigation might be to create violation report only if the price is high and the total value of the sell is above some threshold.
Assessed type
Other