Skip to content

Latest commit

 

History

History
59 lines (36 loc) · 1.62 KB

075.md

File metadata and controls

59 lines (36 loc) · 1.62 KB

Boxy Ash Ant

High

Critical Order Modification Vulnerability After Order Cancellation/Filling

Summary

The modifyOrder functions across all contracts (Bracket, StopLimit, OracleLess) lack validation to prevent modification of cancelled or filled orders. An attacker can cancel an order to receive their funds, then modify the cancelled order to receive the order amount again.

Root Cause

The contracts track orders in two separate data structures. However, modifyOrder only checks ownership and there is no check if order is canceled or filled. This allows user to withdraw funds twice for canceled or filled orders by modifying their orders.

function modifyOrder(uint96 orderId, ...) external nonReentrant {
    Order memory order = orders[orderId];
    require(msg.sender == order.recipient, "only order owner");
    // @audit No check if order is still active in pendingOrderIds
    
    if (amountInDelta != 0) {
        if (increasePosition) {
            newAmountIn += amountInDelta;
            // ... transfer tokens ...
        }
    }
    // ... update order ...
}

https://github.com/sherlock-audit/2024-11-oku/blob/ee3f781a73d65e33fb452c9a44eb1337c5cfdbd6/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L216

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. User create initial order
  2. Cancel order to receive funds
  3. Modify cancelled order to decrease order amount and receive more funds

Impact

Multiple withdrawals of the same order amount

PoC

No response

Mitigation

Update order amount when canceled or filled