imkapadia - User can not cancel immediately

[sherlock-admin]

imkapadia

high

User can not cancel immediately

Summary

User can not cancel immediately

Vulnerability Detail

Below condition in the cancelExistingOrder() does not let user the cancel order before 4 minutes approx (As discussed with developer they are intended to set maxExecutabilityAge to 2 minutes and minExecutabilityAge is not fixed yet so let's suppose this is also 2 minutes.).

if (block.timestamp <= order.executableAtTime + vault.maxExecutabilityAge())

where

executableAtTime = uint64(block.timestamp + vault.minExecutabilityAge());

This checks prevents traders from canceling their orders immediately after the announce the order. As crypto is volatile market anything can happen in 4 minutes. Additionally trader have to pay trade fee and keeper fee when opening and closing the position both the times although they decided to cancel the order.

Proof of Concept

1. Trader open position by calling announceLeverageOpen().
2. Price starts rising up from the current price in a few seconds.
3. Order has not executed yet.
4. Trader cancel the order by calling cancelExistingOrder(). But due to above mentioned checks they have to wait for few minutes.
5. Keeper executes the order.

Impact

The inability to cancel orders when user wants can have severe consequence for traders, especially in scenarios sudden pump.

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L421-L422

Tool used

Manual Review

Recommendation

Do not use maxExecutabilityAge.

[nevillehuang]

Invalid, users are responsible for managing their own positions. If they understand that markets are volatile right now, they can always choose to not open new positions. Additionally, protocol admins can simply adjust the executability ages accordingly based on market conditions