Open c4-bot-10 opened 8 months ago
hansfriese marked the issue as satisfactory
hansfriese marked the issue as primary issue
fez-init (sponsor) confirmed
We will change the updateOrder
logic to cancel and create a new order instead of modifying the existing order instead.
hansfriese marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/hook/MarginTradingHook.sol#L539-L563 https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/hook/MarginTradingHook.sol#L387
Vulnerability details
Impact
limitPrice_e36
acts as slippage protection for the order creator, depending on the trade/order position (whether long or short). A higher or lower limit price impacts thetokenOut
amount that needs to be transferred to the order's creator. However, when the executor executesfillOrder
, it can be front-run by the order creator to updatelimitPrice_e36
and steal tokens from the executor.Proof of Concept
When
fillOrder
is executed, it will calculate theamtOut
that needs to be transferred toorder.recipient
by calling_calculateFillOrderInfo
.https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/hook/MarginTradingHook.sol#L532-L564
As can be observed, it heavily relies on
limitPrice_e36
to calculateamtOut
. A malicious order creator can front-run the execution offillOrder
and steal assets from the executor by changinglimitPrice_e36
, resulting in a high value ofamtOut
depending on the order's position.Tools Used
Manual review.
Recommended Mitigation Steps
Consider to add
limitPrice_e36
check inside thefillOrder
if it bigger than min/max provided limit price, revert the operation.Assessed type
Invalid Validation