JOJOExternal.approveTrade could be blocked by sending incorrect values
Summary
When sending a trade off-chain, if one of the requirements values (which are checked on-chain) are incorrect, approveTrade will always fail leading to DoS
Assuming above, it's possible to send multiple trades off-chain with incorrect data to prevent from other trades happening.
E.g. a user submits a trade off-chain where, in tradeDate, order.perp does not equal the Perpetual.sol address which leads to failing of the approveTrade function.
Also assuming (and a bit according to the docs), when orders are send from off-chain to on-chain, the off-chain sets those order in pause or even temporary removes them.
By sending multiple trades with incorrect values, a lot of trades could be blocked for a period of time.
Impact
Multiple trades could be blocked for a period of time
Delvir0
medium
JOJOExternal.approveTrade could be blocked by sending incorrect values
Summary
When sending a trade off-chain, if one of the requirements values (which are checked on-chain) are incorrect,
approveTrade
will always fail leading to DoSVulnerability Detail
How the trade are exactly matched off-chain or what kind of data is gathered and send off-chain (and how) is unclear. So assuming the user has the possibility to send all data that is within
tradeData
https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/impl/JOJOExternal.sol#L126Assuming above, it's possible to send multiple trades off-chain with incorrect data to prevent from other trades happening. E.g. a user submits a trade off-chain where, in
tradeDate
,order.perp
does not equal the Perpetual.sol address which leads to failing of theapproveTrade
function.Also assuming (and a bit according to the docs), when orders are send from off-chain to on-chain, the off-chain sets those order in pause or even temporary removes them. By sending multiple trades with incorrect values, a lot of trades could be blocked for a period of time.
Impact
Multiple trades could be blocked for a period of time
Code Snippet
https://github.com/sherlock-audit/2023-04-jojo/blob/main/smart-contract-EVM/contracts/impl/JOJOExternal.sol#L103-L163
Tool used
Manual Review
Recommendation
A recommendation on this is hard since a big part of this is handled off-chain without insight of it