Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Avantis>Threat Model>cancelOpenLimitOrder
GeneralOverview
Findings
Critical (6)
High (7)
Medium (8)
Low (10)
Informational (7)
DiscussionReferral code incentives are misalignedVeTranche NFT info should be structNo way to remove user from Trading whitelistPyth price can become negative or erraticTranche has unnecessary `ReentrancyGuard`Checks-effects-interactions pattern brokenTypos
Threat ModelWhat are threat models?Execute.solReferral.sol
Trading.solcancelOpenLimitOrdercloseTradeMarketexecuteLimitOrderopenTradeupdateMarginupdateOpenLimitOrderupdateTpAndSl
TradingStorage.solTranche.solVaultManager.solVeTranche.sol
Audit ResultsSummary

Function: cancelOpenLimitOrder(uint256 _pairIndex, uint256 _index)

This cancels an open limit order.

Inputs

  • _pairIndex

    • Control: Fully controlled by caller.

    • Constraints: None.

    • Impact: The index of the trading pair.

  • _index

    • Control: Fully controlled by caller.

    • Constraints: None.

    • Impact: The index of the order.

Branches and code coverage

Intended branches

  • Unregisters the open limit order.

  • Transfers the USDC to the trader.

Negative behavior

  • Revert if block.number - o.block is less than limitOrdersTimelock.

Function call analysis

  • this.storageT.getOpenLimitOrder(msg.sender, _pairIndex, _index)

    • What is controllable? msg.sender, _pairIndex, and _index.

    • If the return value is controllable, how is it used and how can it go wrong? Returns the open limit order; this limit order is updated and later stored in storage.

    • What happens if it reverts, reenters, or does other unusual control flow? N/A.

  • this.storageT.transferUSDC(address(this.storageT), msg.sender, o.positionSize + o.executionFee)

    • What is controllable? msg.sender, o.positionSize, and o.executionFee.

    • If the return value is controllable, how is it used and how can it go wrong? Transfers the USDC balance associated with the canceled order back to the caller — no return value.

    • What happens if it reverts, reenters, or does other unusual control flow? If it reverts, the entire call will revert — no reentrancy scenarios.

  • this.storageT.unregisterOpenLimitOrder(msg.sender, _pairIndex, _index)

    • What is controllable? msg.sender, _pairIndex, and _index.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑