Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pet Rose Chicken - Allowing modifying not pending order leads minOrderSize token getting locked #884

Open
sherlock-admin2 opened this issue Dec 9, 2024 · 0 comments
Open

Pet Rose Chicken - Allowing modifying not pending order leads minOrderSize token getting locked #884

sherlock-admin2 opened this issue Dec 9, 2024 · 0 comments

Comments

@sherlock-admin2
Copy link

Pet Rose Chicken

Medium

Allowing modifying not pending order leads minOrderSize token getting locked

Summary

The function modifyOrder() doesn't check if an order is pending, which may leads minOrderSize token getting locked.

Root Cause

In Bracket.sol#L216, the function modifyOrder() doesn't check if an order is pending, modifying a cancelled or filled order is allowed.

    function modifyOrder(
        uint96 orderId,
        uint256 _takeProfit,
        uint256 _stopPrice,
        uint256 amountInDelta,
        IERC20 _tokenOut,
        address _recipient,
        uint16 _takeProfitSlippage,
        uint16 _stopSlippage,
        bool permit,
        bool increasePosition,
        bytes calldata permitPayload
    ) external override nonReentrant {
        //get order
        Order memory order = orders[orderId];

        //only order owner
        require(msg.sender == order.recipient, "only order owner");

        //deduce any amountIn changes
        uint256 newAmountIn = order.amountIn;
        if (amountInDelta != 0) {
            if (increasePosition) {
                newAmountIn += amountInDelta;
                //take funds via permit2
                if (permit) {
                    handlePermit(
                        order.recipient,
                        permitPayload,
                        uint160(amountInDelta),
                        address(order.tokenIn)
                    );
                } else {
                    //legacy transfer, assume prior approval
                    order.tokenIn.safeTransferFrom(
                        order.recipient,
                        address(this),
                        amountInDelta
                    );
                }
            } else {
                //ensure delta is valid
                require(amountInDelta < order.amountIn, "invalid delta");

                //set new amountIn for accounting
                newAmountIn -= amountInDelta;

                //check min order size for new amount
                MASTER.checkMinOrderSize(order.tokenIn, newAmountIn);

                //refund position partially
                order.tokenIn.safeTransfer(order.recipient, amountInDelta);
            }
        }
    ...

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

if user modifies an not pending order, minOrderSize token gets locked.

PoC

No response

Mitigation

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2