Using an order book format on chain presents opportunities for MEV and front running.

[c4-bot-7]

Lines of code

https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/BidOrdersFacet.sol#L20 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/AskOrdersFacet.sol#L14

Vulnerability details

Impact

A decentralized order book where every bid, ask, or cancel is on chain allows validators to extract MEV from bidders/sellers on Ditto and front runners to profit at the expense of Ditto users.

To place or cancel an order, you must call functions in BidOrdersFacet.sol, AskOrders.sol, OrdersFacet.sol, or ShortRecordFacet.sol. These calls must be processed by validators. This gives them the chance to add or reorder transactions to make a profit.

Front running takes advantage of a similar concept except that you don't have to be a validator to do it. Front running bots observe pending transactions in the mem pool and when they see a transaction that they could profit off of if they place their transactions in front of it (often this is a very large order that would move the price), they quickly submit their transactions and then pay much higher gas to ensure their transactions are processed first.

The impact of front running & MEV is that third parties make a profit at the expense of the users of Ditto. This can discourage people from placing bids and asks, leading to less liquidity on your platform. One way to handle this is to give a small maker's fee to anyone placing limit orders. Ditto has this fee for short orders and some limit bids but I would recommend it for all bids, asks, and shorts outstanding for at least one block.

Proof of Concept

A validator could, for example, observe that someone is trying to cancel an ask because the price moved against them and slip in a bid of their own in front of the cancel, which would be filled by the ask of the person trying to cancel at an unfavorable price. Then the validator could sell for an immediate profit in the same block. The validator will make profit at a loss to users of Ditto. They (or front running bots) can also front run big fills that they expect to move the price.

Tools Used

Manual review

Recommended Mitigation Steps

A lot of platforms that run on an order book model provide a small incentive for market makers (ie, people who place limit orders). It is usually like 50 basis points of the amount filled. Having a lot of outstanding liquidity is very important for an exchange or people won't use it. There is currently a reward for short orders or limit bids outstanding for a certain period of time but not for limit asks or bids outstanding for less time.

If you provide this fee, it will incentivize people to place orders even if there is a risk of being impacted by front running or MEV.

Assessed type

MEV

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-pre-sort]

raymondfam marked the issue as primary issue

[raymondfam]

Readme: Issues related to front-running: can front-run someone's order, liquidation, the chainlink/uniswap oracle update.

[c4-judge]

hansfriese marked the issue as unsatisfactory: Out of scope