Closed sherlock-admin closed 5 months ago
Invalid, users are responsible for managing their own positions. If they understand that markets are volatile right now, they can always choose to not open new positions. Additionally, protocol admins can simply adjust the executability ages accordingly based on market conditions
imkapadia
high
User can not cancel immediately
Summary
User can not cancel immediately
Vulnerability Detail
Below condition in the
cancelExistingOrder()
does not let user the cancel order before 4 minutes approx (As discussed with developer they are intended to setmaxExecutabilityAge
to 2 minutes andminExecutabilityAge
is not fixed yet so let's suppose this is also 2 minutes.).where
This checks prevents traders from canceling their orders immediately after the announce the order. As crypto is volatile market anything can happen in 4 minutes. Additionally trader have to pay trade fee and keeper fee when opening and closing the position both the times although they decided to cancel the order.
Proof of Concept
announceLeverageOpen()
.cancelExistingOrder()
. But due to above mentioned checks they have to wait for few minutes.Impact
The inability to cancel orders when user wants can have severe consequence for traders, especially in scenarios sudden pump.
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L421-L422
Tool used
Manual Review
Recommendation
Do not use maxExecutabilityAge.