Anybody can cancel orders made by RubiconRouter #117
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L440
Vulnerability details
Anybody can cancel an offer made by [another user using RoubiconRouter].
Impact
If a user created an offer which wasn't fully filled, anybody (including bots) can swoop in, cancel it, and get the user's funds.
Proof of Concept
Anybody can create an offer using
offerForETH
. The router does not save the offer's originator.Then by calling 'cancelForETH', which does not check who called it, anybody can sweep the user's funds.
Recommended Mitigation Steps
Few options are there -
offer
function (\overload) that will allow passing who can cancel the offerThe text was updated successfully, but these errors were encountered: