Gas Optimizations

[code423n4]

Allowing anyone to cancel orders below Dust Limit

Description

According to the OasisDEX documentation, the Dust Limit parameter was designed to filter out small orders, which protects the matching engine from using more gas than necessary. A “small order” is where the order's value is lower than the cost of gas required for its execution in USD terms. (docs)

Rubicon changed the behavior of the can_cancel modifier which prevents cancelling arbitrary dust offers.

Findings

RubiconMarket.sol#L570

modifier can_cancel(uint256 id) override {
    require(isActive(id), "Offer was deleted or taken, or never existed.");
    require(
        isClosed() || msg.sender == getOwner(id) || id == dustId,
        "Offer can not be cancelled because user is not owner, and market is open, and offer sells required amount of tokens."
    );
    _;
}

Recommended mitigation steps

Allow anyone to cancel dust offers to protect matching engine from using more gas than necessary.

In the can_cancel modifier, change the require statement to the following:

require(
    isClosed() || msg.sender == getOwner(id) || offers[id].pay_amt < _dust[address(offers[id].pay_gem)],
    "Offer can not be cancelled because user is not owner, and market is open, and offer sells required amount of tokens."
);

https://oasisdex.com/docs/announcements/oasis1-1