MegaRouterFacet does not validate that clob
is trusted
Description
The MegaRouterFacet contract provides functions that act as a wrapper for multicalls, for example, clobCancel
or clobPostLimitOrder
. These functions accept an arbitrary clob
contract address provided by the caller and do not perform validation to ensure that this contract was created using the trusted clobFactory contract.
/// @notice A clob cancel wrapper for multicalls
function clobCancel(ICLOB clob, ICLOB.CancelArgs calldata args) external override {
clob.cancel(msg.sender, args);
}
/// @notice A clob post limit order wrapper for multicalls
function clobPostLimitOrder(ICLOB clob, ICLOB.PostLimitOrderArgs memory args) external override {
args.settlement = ICLOB.Settlement.ACCOUNT;
clob.postLimitOrder(msg.sender, args);
}
Impact
Since the functions accept an arbitrary clob
contract address without validation, users can call any contract, including malicious or unintended ones. This could lead to unauthorized interactions and potential security vulnerabilities, as the contract provided by the caller can execute arbitrary logic.
Recommendations
Add verification that clob market has been created using the trusted clobFactory.
Remediation
This issue has been acknowledged by Liquid Labs, Inc., and a fix was implemented in commit 3f807fdf↗.
Liquid Labs, Inc. provided the following response:
This commit adds a validity check to functions that take an arbitrary clob address in the router, ensuring that it is a clob created by the clob factory (immutable).