Return to site
Return to site

Bug Deep Dive #15

Ineffective minimum order size check for ASK limit orders can lead to Denial of Service - $1493

· Bug Deep Dive
Section image

The minimum order size check for ASK orders during order creation is ineffective, allowing the creation of a large number of economically insignificant ImmediateOrCancel (IOC) orders. During the cron-based auction, these orders are canceled and refunded, which can consume excessive execution time (and gas, but the cron is using an infinite gas meter, thus no OOG errors), causing block timeouts (e.g., when pairing with Tendermint/CometBFT).

Additionally, the owner-callable OwnerMsg::ForceCancelOrders message can run out of gas when attempting to forcefully cancel all orders (not limited to IOC orders!).

In order_creation.rs:103-110, the pre-configured pair.min_order_size is checked against amount_in_quote. For an ASK order, amount_in_quote is calculated as base * price. A malicious user can bypass this check by providing a minimal amount of the base asset (e.g., 1 wei) and an arbitrarily high price (limit order). This creates a valid limit order that is practically guaranteed not to be filled.

Section image

When the cron_execute function runs, all unfilled IOC orders are collected into memory and then processed for cancellation and refunds, potentially causing block timeouts due to the high execution time required to handle a large number of orders.

Additionally, a large number of such orders will cause the owner-callable OwnerMsg::ForceCancelOrders message to consume a significant amount of gas, potentially exceeding the block/transaction gas limit and preventing the cancellation of all orders. As this is not limited to IOC orders, the attacker has no rush to create a large number of orders quickly as GTC orders will remain open indefinitely.

Alpha: DoS spam findings are not judged the same all the time, as they are very borderline. In any case, there is a real chance of DoS, and these findings should always be reported. To do so, try to think about what happens if there is a large number of orders, is there a way to cancel or handle them a batch at a time?

Conclusion

This finding would earn you $1493, and it boils down to not having a way to process information in batches, always make sure this is the case!

Full Report
Codebase

Subscribe
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save