You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Bracket.sol, the cancelOrder function lacks a nonReentrant modifier. This oversight allows an attacker to create two orders and call cancelOrder twice, enabling them to exploit the function to earn tokenIn through repeated refunds.
Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Attacker will create order1 and order2.
So pendingOrderIds will be [order1, order2].
And attacker will call cancelOrder(order2) and cancelOrder(order1).
function _cancelOrder(Order memoryorder) internalreturns (bool) {
for (uint96 i =0; i < pendingOrderIds.length; i++) {
if (pendingOrderIds[i] == order.orderId) {
//remove from pending array
pendingOrderIds = ArrayMutation.removeFromArray(
i,
pendingOrderIds
);
//refund tokenIn amountIn to recipient
order.tokenIn.safeTransfer(order.recipient, order.amountIn);
//emit eventemitOrderCancelled(order.orderId);
returntrue;
}
}
returnfalse;
}
In calling first cancelOrder with order2, pendingOrderIds will be [order1].
But if calling second cancelOrder(order1) before ArrayMutation.removeFromArray of first cancelorder , in second _cancelOrder function pendingOrderIds will be [order2].
Finally he received 2 refunding. but still pendingOrderIds will be [order2].
Impact
Attacker can call createOrder twice and call cancelOrder twice, so that 1 order will remain .
and attacker will receive all refunds.
With this way, he can earn more and more by repeating this.
PoC
No response
Mitigation
Need to add nonReentrant modifier to CancelOrder function.
The text was updated successfully, but these errors were encountered:
Droll Shadow Crab
High
Attacker can earn by calling cancelOrder twice
Summary
In Bracket.sol, the cancelOrder function lacks a nonReentrant modifier. This oversight allows an attacker to create two orders and call cancelOrder twice, enabling them to exploit the function to earn tokenIn through repeated refunds.
Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Attacker will create order1 and order2.
So pendingOrderIds will be [order1, order2].
And attacker will call cancelOrder(order2) and cancelOrder(order1).
https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L501
In calling first cancelOrder with order2, pendingOrderIds will be [order1].
But if calling second cancelOrder(order1) before ArrayMutation.removeFromArray of first cancelorder , in second _cancelOrder function pendingOrderIds will be [order2].
Finally he received 2 refunding. but still pendingOrderIds will be [order2].
Impact
Attacker can call createOrder twice and call cancelOrder twice, so that 1 order will remain .
and attacker will receive all refunds.
With this way, he can earn more and more by repeating this.
PoC
No response
Mitigation
Need to add nonReentrant modifier to CancelOrder function.
The text was updated successfully, but these errors were encountered: