tvdung94 - Malicious users might grief other users by forcing execute orders

[sherlock-admin2]

tvdung94

medium

Malicious users might grief other users by forcing execute orders

Summary

Malicious users might grief other users by forcing execute orders.

Vulnerability Detail

The fact that users can freely trigger order execution for others might introduce an opportunity for malicious users to grief others. Consider this scenario:

• User A places an order but does not want to execute it yet; he is waiting for better timing.
• User B sees that and force execute the order (also get rewarded from it).
• User A eats loss if there is any from that order.

  Impact

  Unfair for users who place their orders without immediate executing.

  Code Snippet

  https://github.com/sherlock-audit/2023-10-perennial/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L145-L149

  Tool used

Manual Review

Recommendation

Consider adding an option for users to allow/disallow other users to trigger their placed orders.

[sherlock-admin2]

2 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, orders are expected to be executed as soon as their condition is satisfied, it is not expected that only the user himself can execute it, contrary, it's the keepers who execute orders as soon as possible

tsvetanovv commented:

Low