Category: Protocol Risks
Trader contract can bypass max trades per pair
Low Severity
Low Impact
High Likelihood
Description
There is a limit on the number of trades a trader can have open:
require(
storageT.openTradesCount(msg.sender, t.pairIndex) +
storageT.pendingMarketOpenCount(msg.sender, t.pairIndex) +
storageT.openLimitOrdersCount(msg.sender, t.pairIndex) <
storageT.maxTradesPerPair(),
"MAX_TRADES_PER_PAIR"
);
However, this limit can be bypassed by operating from multiple trading accounts or by using a contract that splits requested trades across multiple deployed proxies.
Impact
This limit can be bypassed for sophisticated traders.
Recommendations
We recommend removing this limit to equalize the playing field between traders using the front-end and sophisticated traders who deploy contracts to instantiate trades.
Remediation
This issue has been acknowledged by Avantis Labs, Inc., and a fix was implemented in commit ab1962d7↗.