This repository has been archived by the owner on Oct 1, 2023. It is now read-only.
hickuphh3 - No way to remove dust orders in the rollover queue #80
Comments
github-actions
bot
added
Medium
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
hickuphh3
medium
No way to remove dust orders in the rollover queue
Summary
There isn't a way to remove orders with dust assets in the rollover queue. As such, an adversary can fill it with these dust orders to drive up the cost of mints and reduce the profit earned from relayer fees.
Vulnerability Detail
Orders with dust assets in the rollover queue (orders who won an epoch, and with
assets<relayerFee) can't be removed by anyone except the respective owners of these orders via delisting and withdrawing. Relayers incur the cost for iterating through such orders, but aren't compensated for it.It is therefore possible to grief relayers by making rollovers less profitable through the submission of multiple orders via multiple accounts with
_assets = relayerFee. Furthermore, the attacker bears a one-time cost to deposit & enroll for 1 epoch, but the effect is perpetual as it affects all future epochs.Impact
The rollover queue becomes increasingly bloated; rollovers become less profitable.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L357-L459
Tool used
Manual Review
Recommendation
Consider implementing a separate function that incentivises the deletion of dust orders.
Duplicate of #172
The text was updated successfully, but these errors were encountered: