search

sherlock-audit / 2023-04-jojo-judging

7 stars 4 forks source link

rvierdiiev - User can be censored by trade order sender #156

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

rvierdiiev

medium

User can be censored by trade order sender

Summary

User can be censored by trade executor. As result his orders will not be executed and he can face losses.

Vulnerability Detail

In JOJO system, only validOrderSender can execute trading.

This makes possible to censor specific user for that sender. As result user will not be able to trade and control his positions and he can become liquidatable and face losses.

Impact

User can't trade.

Code Snippet

https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/impl/JOJOExternal.sol#L112-L115

Tool used

Manual Review

Recommendation

Do not have any good advice.

JoscelynFarr commented 1 year ago

OrderSender is the person who executes matched transactions. JOJO is a perp DEX in the form of an orderbook that requires professional market makers to participate. Currently, the final authority of orderSender belongs to JOJO team, and in the future, our matching mechanism will be decentralized.