search

sherlock-audit / 2024-02-rubicon-finance-judging

5 stars 3 forks source link

turvec - Swappers and fillers can execute partial trade on orders that has no decay #77

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

turvec

medium

Swappers and fillers can execute partial trade on orders that has no decay

Summary

Swappers and fillers can execute partial trade on orders that has no decay

Vulnerability Detail

As soon here, resolve function should revert on any order-type-specific validation errors

/// @dev should revert on any order-type-specific validation errors

However in the resolve function, _validateOrder(order) doesn't check if both inputs and output don't decay (that is, startAmount and endAmount of both input and output remain the same), this allows swappers and fillers to use GladiousReactor from what it's intended to do

Impact

Swappers and fillers can use GladiousReactor for executing partial trade on orders that has no decay

Code Snippet

https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/GladiusReactor.sol#L135

Tool used

Visual Studio Code

Recommendation

In the _validateOrder() function, validate that startAmount and endAmount of both input and output don't remain the same.

sherlock-admin commented 7 months ago

3 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Low

PNS commented:

L-03 OZ Audit; Dutch Orders Without Duration Benefit the Filler

0xAadi commented:

Invalid: Not cause any issues or financial loss to users or protocol