Platform: Code4rena
Start Date: 24/06/2021
Pot Size: $80,000 USDC
Total HM: 18
Participants: 12
Period: 7 days
Judge: cemozer
Total Solo HM: 11
Id: 16
League: ETH
Rank: 7/12
Findings: 3
Award: $1,449.39
π Selected for report: 1
π Solo Findings: 0
905.8738 USDC - $905.87
tensors
The contracts assume that all tokens will have <=18 decimals. If the Tracer team are the only people deploying the contracts, and they keep this in mind, this isn't a problem. If the contracts are to be deployed by other people, this assumption should be made explicit and hard-coded.
https://github.com/code-423n4/2021-06-tracer/blob/main/src/contracts/lib/LibBalances.sol#L220-L232 We can see that the scaler computations will underflow and be defined when it should not be.
Write a require check that ensures tokenDecimals <= 18 before running the above functions.
#0 - raymogg
2021-07-05T03:23:55Z
Valid issue and makes sense as a medium.
Suggested mitigation will be implemented.
543.5243 USDC - $543.52
tensors
Market makers will not be able to have competitive spreads or cancel their orders to update their strategies. It will be difficult for them to provide liquidity on the platform, which will hurt the platform overall.
In traditional finance market makers turn a profit through the spreads they offer. If the market moves to one side or another they can quickly cancel their limit orders and update their order books accordingly.
Since all orders will appear on chain, bots can frontrun cancellation orders by the market makers to get a cheap price (and maybe even sell on the updated market maker's order book), thus disincentivizing market makers from providing liquidity.
Hard to say what a proper mitigation could be. A possible solution: If limit orders have an expiry deadline, (e.g. like what uniswap does to with incoming transactions) then this problem would be diminished.
Another similar thing to note: market makers will have to use large amounts of gas to keep updating their limit orders (whether or not a deadline or other mitigation is included). As long as the contracts are fully on-chain, not much can be done about this.
#0 - raymogg
2021-07-05T03:23:22Z
Marked as a dispute as this is not really an issue. Tracer will initially maintain an off chain order book that is the entry point for users to make orders (and for market makers to interact with).
Orders only get propagated on chain once they have been matched, and they will only be propagated on chain by whitelisted relayers. As such nobody can arbitrarily frontrun the orders with their own.
#1 - cemozerr
2021-07-18T21:33:59Z
Currently not seeing a whitelisted relayer functionality, so marking this a valid medium risk issue.
#2 - loudoguno
2021-08-23T22:52:13Z
closing as duplicate of #100 per judge