search

sherlock-audit / 2024-02-rubicon-finance-judging

5 stars 3 forks source link

0xDetermination - Arbitrary external call in order validation flow can cause OOG revert/error and grief the order filler #27

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

0xDetermination

medium

Arbitrary external call in order validation flow can cause OOG revert/error and grief the order filler

Summary

(See Impact section for a link to the Sherlock rules, which states OOG errors can be considered M/H.)

The maker of an order can provide an arbitrary contract address for additional order validation; a malicious user can abuse this and cause the filling transaction to OOG revert/error.

Vulnerability Detail

The execute() function in BaseGladiusReactor calls the internal _prepare() function, which uses the ResolvedOrderLib.validate() function to validate the order. https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L53-L62 https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L208-L218 https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/lib/ResolvedOrderLib.sol

The below code in ResolvedOrderLib.validate() is a problem because it contains an arbitrary external call, since the order maker can set the address of resolvedOrder.info.additionalValidationContract to any value.

        if (
            address(resolvedOrder.info.additionalValidationContract) !=
            address(0)
        ) {
            resolvedOrder.info.additionalValidationContract.validate(
                filler,
                resolvedOrder
            );
        }

A malicious order maker can use this external call to consume all of the gas provided for the transaction, effectively griefing the order filler and causing them to lose the maximum possible gas fees provided for the transaction.

Impact

When a order filler tries to fill the order, the malicious external call will consume all of the gas provided and cause an OOG revert/error. The order filler will lose all of the gas fees provided for the transaction. (OOG can be considered M/H according to the Sherlock rules: https://docs.sherlock.xyz/audits/judging/judging#viii.-list-of-issue-categories-that-are-considered-valid)

Code Snippet

links provided above

Tool used

Manual Review

Recommendation

Call resolvedOrder.info.additionalValidationContract.validate() with a reasonable gas limit.

sherlock-admin commented 7 months ago

3 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Invalid. This will be user mistake

PNS commented:

M-1 OZ Audit; Fillers generally estimate gas before execution and use private mempools like flashbots or mevblocker.

0xAadi commented:

Invalid: OOS