search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

LTDingZhen - `executeLimitOrder` is not protected by `whenNotPaused` #167

Closed sherlock-admin closed 6 months ago

sherlock-admin commented 7 months ago

LTDingZhen

medium

executeLimitOrder is not protected by whenNotPaused

Summary

Users can still close their positions even if the contract is paused.

Vulnerability Detail

In DelayedOrder.sol, all actions on the user/keeper side are protected by whenNotPaused, including:

  1. announceStableDeposit
  2. announceStableWithdraw
  3. announceLeverageOpen
  4. announceLeverageAdjust
  5. announceLeverageClose
  6. executeOrder

But in LimitOrder.sol, announceLimitOrder and executeLimitOrder are not protected by whenNotPaused, which enables users to close positions even if the contract is paused.

//LimitOrder.sol#L58
function announceLimitOrder(uint256 tokenId, uint256 priceLowerThreshold, uint256 priceUpperThreshold) external {
...

//LimitOrder.sol#L119
function executeLimitOrder(     
    uint256 tokenId,
    bytes[] calldata priceUpdateData
) external payable nonReentrant updatePythPrice(vault, msg.sender, priceUpdateData) orderInvariantChecks(vault) {
...

Impact

Breaks the consistency of the protocol, making it impossible for administrators to prevent users from closing positions.

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L58 https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L119-L122

Tool used

Manual Review

Recommendation

Add whenNotPaused on announceLimitOrder and executeLimitOrder.

sherlock-admin commented 6 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 6 months ago

Invalid, similar reasonings to #34