search

sherlock-audit / 2023-04-jojo-judging

7 stars 4 forks source link

Delvir0 - JOJOExternal.approveTrade could be blocked by sending incorrect values #424

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Delvir0

medium

JOJOExternal.approveTrade could be blocked by sending incorrect values

Summary

When sending a trade off-chain, if one of the requirements values (which are checked on-chain) are incorrect, approveTrade will always fail leading to DoS

Vulnerability Detail

How the trade are exactly matched off-chain or what kind of data is gathered and send off-chain (and how) is unclear. So assuming the user has the possibility to send all data that is within tradeData https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/impl/JOJOExternal.sol#L126

Assuming above, it's possible to send multiple trades off-chain with incorrect data to prevent from other trades happening. E.g. a user submits a trade off-chain where, in tradeDate, order.perp does not equal the Perpetual.sol address which leads to failing of the approveTrade function.

Also assuming (and a bit according to the docs), when orders are send from off-chain to on-chain, the off-chain sets those order in pause or even temporary removes them. By sending multiple trades with incorrect values, a lot of trades could be blocked for a period of time.

Impact

Multiple trades could be blocked for a period of time

Code Snippet

https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/impl/JOJOExternal.sol#L103-L163

Tool used

Manual Review

Recommendation

A recommendation on this is hard since a big part of this is handled off-chain without insight of it