Description

The MegaRouterFacet contract provides functions that act as a wrapper for multicalls, for example, clobCancel or clobPostLimitOrder. These functions accept an arbitrary clob contract address provided by the caller and do not perform validation to ensure that this contract was created using the trusted clobFactory contract.

/// @notice A clob cancel wrapper for multicalls
function clobCancel(ICLOB clob, ICLOB.CancelArgs calldata args) external override {
    clob.cancel(msg.sender, args);
}

/// @notice A clob post limit order wrapper for multicalls
function clobPostLimitOrder(ICLOB clob, ICLOB.PostLimitOrderArgs memory args) external override {
    args.settlement = ICLOB.Settlement.ACCOUNT;
    clob.postLimitOrder(msg.sender, args);
}

Impact

Since the functions accept an arbitrary clob contract address without validation, users can call any contract, including malicious or unintended ones. This could lead to unauthorized interactions and potential security vulnerabilities, as the contract provided by the caller can execute arbitrary logic.

Recommendations

Add verification that clob market has been created using the trusted clobFactory.

Remediation

This issue has been acknowledged by Liquid Labs, Inc., and a fix was implemented in commit 3f807fdf↗.

Liquid Labs, Inc. provided the following response:

This commit adds a validity check to functions that take an arbitrary clob address in the router, ensuring that it is a clob created by the clob factory (immutable).