Closed c4-bot-9 closed 5 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #114
Kind of unstructured in terms of POC when compared to that of #114 and #128.
hansfriese marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/BidOrdersFacet.sol#L130-L204 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibOrders.sol#L556-L626 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/BidOrdersFacet.sol#L150 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibOrders.sol#L574
Vulnerability details
Description
bidMatchAlgo
andsellMatchAlgo
, which are responsible for matching incoming orders with existing orders in the orderbook based on price.The
bidMatchAlgo
andsellMatchAlgo
functions are expected to match incoming orders with existing orders in the orderbook based on accurate and up-to-date price information. The hint system should optimize the order placement process without compromising the integrity of the matching logic.The expected inputs are the
asset
being traded, theincomingBid
orincomingAsk
order, and theorderHintArray
for efficient order placement.The intended outcome is to fill the incoming order as much as possible by matching it with existing orders at prices that reflect the current market conditions, ensuring fair and accurate trading for all users.
BidOrdersFacet.sol#bidMatchAlgo
LibOrders.sol#sellMatchAlgo
These functions use the cached oracle price and the provided order hints to match incoming orders with existing orders in the orderbook. The
bidMatchAlgo
function updates the oracle price andstartingShortId
if the price difference between the incoming bid and the cached oracle price exceeds a threshold. ThesellMatchAlgo
function adds the incoming ask order to the orderbook if its price is below the cached oracle price.Vulnerability Details
The edge case arises from the combination of the 0.5% buffer, backwards matching logic, and the use of stale prices due to the 15-minute caching window.
The conditions that enable this
The codes responsible are:
bidMatchAlgo
, the comparison if (incomingBid.price >= lowestSell.price) allows matching based on the cached oracle price and the 0.5% buffer.sellMatchAlgo
, the condition if (incomingAsk.price <= highestBid.price) relies on the cached oracle price to determine whether to add the incoming ask order to the orderbook.The actual behavior of the system deviates from the expected behavior in the following ways:
Impact
Proof of Concept
Scenario:
Steps:
An attacker observes the market conditions and identifies an opportunity to exploit the vulnerability.
The attacker places a buy order for 1500 tokens at $99.75, which is within the 0.5% buffer of the cached oracle price ($100).
The
bidMatchAlgo
function is called with the attacker's buy order._getLowestSell
function returns the sell order with the price of $100.50 as the lowest sell order.if (incomingBid.price >= lowestSell.price)
is satisfied since the attacker's buy price of $99.75 is within the 0.5% buffer of the sell order price.updateOracleAndStartingShortViaThreshold
function is called, but since the price difference is within the threshold, no update occurs.The
bidMatchAlgo
function proceeds to match the attacker's buy order with the existing sell orders.The attacker successfully buys 1500 tokens at an average price of $100.67, which is significantly higher than the current market price of $95.
Potential Consequences:
Recommended Mititgation Steps
Reduce the caching window:
Implement price deviation checks:
Enhance the hint system:
Implement circuit breakers:
Assessed type
Context