The MarginTradingHook#updateOrder function allows users to update their orders, it checks that the requested order is active order (L513) and that the function caller has opened position (L515). However, this function fails to check that user initPosId is equal to the initPosId saved in the order struct, meaning that the caller is an order creator:
Lines of code
https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/hook/MarginTradingHook.sol#L504
Vulnerability details
The
MarginTradingHook#updateOrder
function allows users to update their orders, it checks that the requested order is active order (L513) and that the function caller has opened position (L515). However, this function fails to check that userinitPosId
is equal to theinitPosId
saved in the order struct, meaning that the caller is an order creator:Impact
Any order in the
MarginTradingHook
contract could be updated by other users.Proof of Concept
The next test added to the
TestMarginTradingHelper
file could show a scenario when the user can update some other active orders:Recommended Mitigation Steps
Consider adding a check that prevents the possibility of updating arbitrary orders, similar to the
cancelOrder
function:Assessed type
Access Control