Closed c4-bot-5 closed 4 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
Inadequate elaboration and proof given.
It adds here.
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/OrdersFacet.sol#L51
Vulnerability details
Impact
cancelShort will not refund a shorter after his short being canceled.
Proof of Concept
When a user add a short order using createLimitShort method, LibOrders.addShort will be called in case
incomingShort.price < p.oraclePrice
.In addShort,
eth
value will be deducted from the shorter'sethEscrowed
at s.vaultUser[vault][order.addr].ethEscrowed -= ethThe issue here that cancelShort will not refund
ethEscrowed
that's taken from the shorter if the short is closed.What exactly cancelShort do:
cancelShort
will call LibOrders.cancelShort, if (shortRecord.status == SR.Closed) deleteShortRecord will be called for the shortRecordId, InsidedeleteShortRecord
method there is no refund forethEscrowed
that was taken from the shorter balance when the short was added in [s.vaultUser[vault][order.addr].ethEscrowed -= eth].Remember that when a short order is added, the status of the shortRecord initiated as SR.Closed.
Tools Used
Manual review
Recommended Mitigation Steps
Refund the shorter the amount that was deducted from
ethEscrowed
oncancelShort
Assessed type
Other