Lively Pecan Griffin - multiple orders in the same block can be weaponized to steal funds to due blocktimestamp based id generation

[sherlock-admin2]

Lively Pecan Griffin

High

multiple orders in the same block can be weaponized to steal funds to due blocktimestamp based id generation

Summary

Critical security flaw discovered in Oku Protocol's order management system where deterministic order ID generation based on timestamps enables order ID collisions and potential fund manipulation.

Root Cause

ID generation based on msg.sender and block
not checking for existing order values and just override it

Internal pre-conditions

1. Order creation system active
2. No order ID collision checks
3. Timestamp-based ID generation
4. Missing order tracking mechanism

External pre-conditions

Attack

User create two orders in oracleLess, one with low amounts and one with very large amounts that can be done thrugh flash loaon, then double cancel the orders since both orderIds are in the array but both of them have values of the second large order

Impact

• Order ID collisions
• Unauthorized fund access
• Broken order tracking
• Compromised accounting system