You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
orderid in StopLimit will overwrite order in bracket
Summary
The same orderId can be used across StopLimit and Bracket contracts, enabling a user to create conflicting orders in both contracts at the same timestamp. This results in one order overwriting the other, leading to potential manipulation and double-spending exploits.
Root Cause
The generateOrderId function uses only msg.sender and block.timestamp to generate orderId. Since there is no check to verify if an orderId already exists in Bracket, orders created at the same timestamp in both contracts collide.
Internal pre-conditions
generateOrderId is called at the same timestamp for orders in both StopLimit and Bracket.
External pre-conditions
A user creates orders on StopLimit and Bracket at the same block.timestamp.
Attack Path
The user creates two orders simultaneously:
A small order in Bracket.
A larger order in StopLimit.
Both orders are assigned the same orderId due to identical msg.sender and block.timestamp.
When the StopLimit order is filled, it overwrites the Bracket order with its new data.
The user can then:
Cancel or execute both orders, effectively doubling the value of the manipulated order.
Exploit overwritten order data to reclaim funds or execute unintended orders.
Impact
Loss of funds for the protocol due to overwritten orders and unauthorized manipulation.
PoC
No response
Mitigation
Check for Existing orderId
Before creating a new order, verify whether the orderId already exists in the contract
The text was updated successfully, but these errors were encountered:
Virtual Indigo Shetland
High
orderid in StopLimit will overwrite order in bracket
Summary
The same
orderIdcan be used acrossStopLimitandBracketcontracts, enabling a user to create conflicting orders in both contracts at the same timestamp. This results in one order overwriting the other, leading to potential manipulation and double-spending exploits.Root Cause
The
generateOrderIdfunction uses onlymsg.senderandblock.timestampto generateorderId. Since there is no check to verify if anorderIdalready exists inBracket, orders created at the same timestamp in both contracts collide.Internal pre-conditions
generateOrderIdis called at the same timestamp for orders in bothStopLimitandBracket.External pre-conditions
StopLimitandBracketat the sameblock.timestamp.Attack Path
Bracket.StopLimit.orderIddue to identicalmsg.senderandblock.timestamp.StopLimitorder is filled, it overwrites theBracketorder with its new data.Impact
PoC
No response
Mitigation
Check for Existing
orderIdBefore creating a new order, verify whether the
orderIdalready exists in the contractThe text was updated successfully, but these errors were encountered: