Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All orders which use expirationTime == 0 to support oracle cancellation are not executable. #181

Open
code423n4 opened this issue Nov 14, 2022 · 4 comments
Open

All orders which use expirationTime == 0 to support oracle cancellation are not executable. #181

code423n4 opened this issue Nov 14, 2022 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-03 primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Exchange.sol#L378

Vulnerability details

Description

The Non Fungible supplied docs state:
Off-chain methods
"Oracle cancellations - if the order is signed with an expirationTime of 0, a user can request an oracle to stop producing authorization signatures; without a recent signature, the order will not be able to be matched"

From the docs, we can expect that when expirationTime is 0 , trader wishes to enable dynamic oracle cancellations. However, the recent code refactoring broke not only this functionality but all orders with expirationTime = 0.

Previous _validateOrderParameters:

function _validateOrderParameters(Order calldata order, bytes32 orderHash)
    internal
    view
    returns (bool)
{
    return (
        /* Order must have a trader. */
        (order.trader != address(0)) &&
        /* Order must not be cancelled or filled. */
        (cancelledOrFilled[orderHash] == false) &&
        /* Order must be settleable. */
        _canSettleOrder(order.listingTime, order.expirationTime)
    );
}
/**
 * @dev Check if the order can be settled at the current timestamp
 * @param listingTime order listing time
 * @param expirationTime order expiration time
 */
function _canSettleOrder(uint256 listingTime, uint256 expirationTime)
    view
    internal
    returns (bool)
{
    return (listingTime < block.timestamp) && (expirationTime == 0 || block.timestamp < expirationTime);

New _validateOrderParameters:

function _validateOrderParameters(Order calldata order, bytes32 orderHash)
    internal
    view
    returns (bool)
{
    return (
        /* Order must have a trader. */
        (order.trader != address(0)) &&
        /* Order must not be cancelled or filled. */
        (!cancelledOrFilled[orderHash]) &&
        /* Order must be settleable. */
        (order.listingTime < block.timestamp) &&
        (block.timestamp < order.expirationTime)
    );
}

Note the requirements on expirationTime in _canSettleOrder (old) and _validateOrderParameters (new).
If expirationTime == 0, the condition was satisfied without looking at block.timestamp < expirationTime.
In the new code, block.timestamp < expirationTime is always required in order for the order to be valid. Clearly, block.timestamp < 0 will always be false, so all orders that wish to make use of off-chain cancellation will never execute.

Impact

All orders which use expirationTime == 0 to support oracle cancellation are not executable.

Tools Used

Manual audit, diffing tool

Recommended Mitigation Steps

Implement the checks the same way as they were in the previous version of Exchange.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 14, 2022
code423n4 added a commit that referenced this issue Nov 14, 2022
@code423n4
Trust issue #181
4b8eb91
@c4-judge
Copy link
Contributor

berndartmueller marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Nov 17, 2022
@c4-judge
Copy link
Contributor

berndartmueller marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Nov 17, 2022
@c4-judge c4-judge mentioned this issue Nov 17, 2022
Closed
@nonfungible47
Copy link

This is correct, however, as the maintainers of the main orderbook, we can ensure that no current orders have been created with expirationTime of 0.

@c4-sponsor
Copy link

nonfungible47 marked the issue as sponsor acknowledged

@c4-sponsor c4-sponsor added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Nov 22, 2022
@C4-Staff C4-Staff added the M-03 label Dec 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-03 primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@code423n4 @c4-judge @c4-sponsor @C4-Staff @nonfungible47