Anyone can cancel and get a refund of orders placed through the RubiconRouter
#224
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L440-L452
Vulnerability details
Impact
Users will lose funds associated with orders they've placed, to other users that cancel the order
Proof of Concept
The
RubiconRouter
does no validation itself of whether a user should be able to cancel an order, and instead relies onRubiconMarket
to do the checks:https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L440-L452
The
RubiconMarket
only verifies that the message sender is the owner:https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L215-L219
which will always be the
RubiconRouter
for orders placed through theRubiconRouter
:https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L391-L411
Tools Used
Code inspection
Recommended Mitigation Steps
Maintain a mapping from submitters to order IDs, inside
RubiconRouter
, and validate during cancelThe text was updated successfully, but these errors were encountered: