The protocol will pay double of the directBuy order amount if the order escrow is fully taken then fully fulfilled
Summary
The protocol will pay double of the directBuy order amount if the order escrow is fully taken then fully fulfilled
Vulnerability Detail
In DirectBuyIssuer contract: the protocol will pay double of the directBuy order amount if any operator takes the full escrow payment of any directBuy order then the same order is fully fulfilled by the same operator or another one.
Let's look at the following scenario,imaginging that we have two operators: operator#1 & operator#2 :
operator#1 calls takeEscrow function to take the whole escrow of a specific directBuy order;so by doing this, the getOrderEscrow[orderId] of that order will be updated to zero: getOrderEscrow[orderId] = escrow - amount;
assuming that the same operator (operator#1) wants to fully fulfill that same order by mistake, so in _fillOrderAccounting function there's the following check before filling the order and transferring the payment to the operator : if (fillAmount > orderState.remainingOrder - escrow) revert AmountTooLarge();
so operator#1 was able to bypass this check and proceed with filling the order, so at the end of this transaction operator#1 will be having the getOrderEscrow[orderId](which is order.paymentTokenQuantity) + fillAmount (which is order.paymentTokenQuantity)= double of order amount.
Assuming that each operator is aware of the orders that he has taken all its escrow ,so he will not attempt to fill it maliciously or by mistake; another possible scenario might happen when another operator tries to fill the order that has its escrow taken:
now repeating point#2 but with operator#2!
Impact
The protocol will be paying more of its paymentToken (USDC or USDT) than its balance,which will lead to orders not being able to be filled or cancelled due to insufficient protocol balance.
hals
high
The protocol will pay double of the directBuy order amount if the order escrow is fully taken then fully fulfilled
Summary
The protocol will pay double of the directBuy order amount if the order escrow is fully taken then fully fulfilled
Vulnerability Detail
DirectBuyIssuercontract: the protocol will pay double of the directBuy order amount if any operator takes the full escrow payment of any directBuy order then the same order is fully fulfilled by the same operator or another one.Let's look at the following scenario,imaginging that we have two operators:
operator#1&operator#2:operator#1callstakeEscrowfunction to take the whole escrow of a specific directBuy order;so by doing this, thegetOrderEscrow[orderId]of that order will be updated to zero:getOrderEscrow[orderId] = escrow - amount;assuming that the same operator (
operator#1) wants to fully fulfill that same order by mistake, so in_fillOrderAccountingfunction there's the following check before filling the order and transferring the payment to the operator :if (fillAmount > orderState.remainingOrder - escrow) revert AmountTooLarge();so
operator#1was able to bypass this check and proceed with filling the order, so at the end of this transactionoperator#1will be having thegetOrderEscrow[orderId](which isorder.paymentTokenQuantity) + fillAmount (which isorder.paymentTokenQuantity)= double of order amount.Assuming that each operator is aware of the orders that he has taken all its escrow ,so he will not attempt to fill it maliciously or by mistake; another possible scenario might happen when another operator tries to fill the order that has its escrow taken: now repeating point#2 but with
operator#2!Impact
The protocol will be paying more of its
paymentToken(USDC or USDT) than its balance,which will lead to orders not being able to be filled or cancelled due to insufficient protocol balance.Code Snippet
DirectBuyIssuer.sol/takeEscrowfunction: L65DirectBuyIssuer.sol/_fillOrderAccountingfunction: L123Tool used
Manual Review
Recommendation
DirectBuyIssuer.sol/takeEscrowfunction: prevent operators from taking the full amount of the order's escrow by updating the following check: