search

sherlock-audit / 2024-05-kwenta-x-perennial-integration-update-judging

5 stars 3 forks source link

pnkjbee2 - Lack of input validation in _placeOrder function #9

Closed sherlock-admin3 closed 5 months ago

sherlock-admin3 commented 5 months ago

pnkjbee2

high

Lack of input validation in _placeOrder function

Summary

The _placeOrder function does not validate the order.side parameter, which can lead to unexpected behavior or errors.

Vulnerability Detail

Impact

An attacker can create an order with an invalid side parameter (e.g., side = 4), which may cause the contract to malfunction or revert.

Code Snippet

https://github.com/sherlock-audit/2024-05-kwenta-x-perennial-integration-update/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L426 function _placeOrder( address account, IMarket market, TriggerOrder memory order ) internal isMarketInstance(market) { if (order.fee.isZero()) revert MultiInvokerInvalidOrderError(); if (order.comparison != -1 && order.comparison != 1) revert MultiInvokerInvalidOrderError(); if ( order.side > 3 || // Invalid side (order.side == 3 && order.delta.gte(Fixed6Lib.ZERO)) // Disallow placing orders that increase collateral ) revert MultiInvokerInvalidOrderError();

    _orders[account][market][++latestNonce].store(order);
    emit OrderPlaced(account, market, latestNonce, order);
}

Tool used

Manual Review

Recommendation

sherlock-admin2 commented 5 months ago

2 comment(s) were left on this issue during the judging contest.

z3s commented:

Invalid; There is input validation.

FSchmoede commented:

Invalid. Even if done this would only cause issues for the issues for attacker himself/herself.