Lucky Peach Barbel
Medium
orders can be executed at incorrect timestamps, leading to mismatched market states and potential financial losses
The bug arises in the _processOrderGlobal and _processOrderLocal functions, where the contract fails to correctly handle pending orders whose timestamps fall between the current position's timestamp and the latest oracle version. Specifically, the contract incorrectly advances the order's timestamp to the latest oracle version if newOrderTimestamp > newOrder.timestamp, without considering whether the pending order's timestamp is within the valid range for processing. This logic flaw is demonstrated in the following code snippet:
if (newOrderTimestamp > newOrder.timestamp) {
newOrder.next(newOrderTimestamp); // @audit Incorrectly advances the order
newGuarantee.next();
}For example, if the latest oracle version has a timestamp of 100, the current position's timestamp is 90, and a pending order has a timestamp of 95, the contract will incorrectly advance the order to timestamp 100 instead of processing it at 95. This results in orders being executed at incorrect timestamps, leading to mismatched market states and potential financial losses.
Pending orders are processed at the wrong timestamps, causing discrepancies between the expected and actual state of the market. This can lead to financial losses for users due to missed opportunities.
Modify the logic to ensure pending orders are processed at their correct timestamps by checking if newOrderTimestamp falls within the valid range between the current position's timestamp and the latest oracle version.