search

sherlock-audit / 2024-02-rubicon-finance-judging

5 stars 3 forks source link

almurhasan - Attacker can make DOS function execute(without quantity parameter). #50

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

almurhasan

medium

Attacker can make DOS function execute(without quantity parameter).

Summary

Attacker can frontrun the function execute(without quantity parameter).by calling the function execute(with quantity parameter) which may create dos.

Vulnerability Detail

  1. Let assume , for a order, inputAmount = 100e18; outputAmount = 100e18; fillThreshold = 50e17 and order maker has permitted 100e18 inputAmount( in signaturetransfer contract)

  2. A taker calls the function execute(without quantity parameter) to fill the full order.

  3. Attacker frontrun and call the function execute(with quantity param ) with quantity 50e17.

  4. So the taker calling function execute will fail as now order maker has permission 99.5e18 inputAmount.

Impact

If fillThreshold is 0 , then the attacker can create dos with 1 wei.

Code Snippet

https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L133

Tool used

Manual Review

Recommendation

Make sure it can’t be dosed

sherlock-admin commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

0xAadi commented:

Invalid: Lacks details