sherlock-admin
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Closed sherlock-admin2 closed 7 months ago
sherlock-admin
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
nevillehuang
commented
7 months ago Invalid, check done here via _checkPositionOwner()
kgothatso
high
attacker can cancel any order limit and cause a denial of service for users
Summary
attacker can cancel any order limit and cause a denial of service for users
Vulnerability Detail
attacker can cancel any order limit and cause a denial of service for users. Token id's are public the attacker can front-run a transaction by cancel their order limit
Impact
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L87
Tool used
Manual Review
Recommendation
Set the owner of offer _id to
msg.senderand create a mapping to store these values, have a function modifier that will use the mapping to cancel orders and check if you are the one who made the order. check to see if you are the Limit Order announcer before of the token id before the is canceled . Add a function modifier