Closed sherlock-admin2 closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid: they'll be paying for those keeper fees
The keepers are designed in such a way that when a new limit order is created by the same address (owner of the position) even though there already exists one (created by the same owner) then the limit order parameters are simply updated in the database. This is because one position cannot have multiple limit orders as per design.
The keepers are all separate services i.e, liquidations, limit order execution and order execution are all different services and bots can choose to run a mix of these services if they wish to.
Hence, I would consider this as not an issue.
xiaoming90
medium
Existing limit order is not cancelled
Summary
The existing limit order is not cancelled when a new limit order is announced. As a result, the keepers will be DOSed, which might degrade or halt the ability of the keeper to carry out their roles (e.g., executing orders and liquidating accounts).
For instance, if the liquidating of accounts cannot be executed or is being slowed down, the solvency of the protocol will be threatened, OR if the traders cannot have their positions adjusted (adding more margin) or closed in a timely manner, their positions might be at risk of being liquidated, leading to a loss for the traders.
Vulnerability Detail
Per the protocol team's response in the contest's Discord channel, it was understood the keepers operate as follows:
When announcing a deposit, withdraw, open, adjust and close order, the code will check if the order already exists and expired. If so, it will cancel the existing order and emit the
FlatcoinEvents.OrderCancelled
to inform the keepers that this order has been cancelled.However, when announcing a new limit order, the code does not check if there already exists a limit order and cancels it. As a result, it is possible for malicious users to DOS the keepers who are listening to
FlatcoinEvents.OrderAnnounced
event by executing a large number ofannounceLimitOrder
TX continuously and emitting a large number ofFlatcoinEvents.OrderAnnounced
, thus overwhelming the keepers as they will see those announced orders that have not been canceled as valid.https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L58
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L198
Impact
Keepers will be DOSed, which might degrade or halt the ability of the keeper to carry out its roles (e.g., executing orders and liquidating accounts). If the keepers cannot carry out some of the roles, it will have various negative impacts on the protocols and users.
For instance, if the liquidating of accounts cannot be executed or is being slowed down, the solvency of the protocol will be threatened, OR if the traders cannot have their positions adjusted or closed in a timely manner, their positions might be at risk of being liquidated, leading to a loss for the traders.
Lastly, from the perspective of keepers, they also wasted their gas executing orders that are no longer valid as the limit order has already been overwritten by a newer limit order, but they were not informed via the event.
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L58
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L198
Tool used
Manual Review
Recommendation
If a limit order already exists, cancel the existing limit order and emit the
FlatcoinEvents.OrderCancelled
to inform the keepers that this order has been cancelled before announcing a new limit order.