'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Rain Disclosed Report
Audit report Rain Smart Contract Audit ContestHead-of-book pointer not updated on cancel, enabling gas-griefing
hiddenTarget
https://github.com/hackenproof-public/rain-contracts
Vulnerability Details
Vulnerability details
-
Title: Head-of-book pointer not updated on cancel, enabling gas-griefing
-
The Problem: The
_cancelSellOrderand_cancelBuyOrderfunctions correctly remove orders from the linked list at a given price tick but do not update thefirstSellOrderPrice/firstBuyOrderPricehead pointers if the cancelled bucket becomes empty. This leaves the head pointer stale, pointing to an empty bucket, until the next matching pass traverses past it. -
Code that creates the vulnerability:
function _cancelSellOrder(
uint256 option,
uint256 price, // 1e18
uint256 orderID,
address caller
) private {
if (orderBook[option][price][orderID].exists == false) {
_revert(OrderDoesNotExist.selector);
}
...
linkedList.remove(nodeIndex);
orderBook[option][price][orderID].exists = false;
...
// NO head pointer update here
}
- Why it matters:
- An attacker can repeatedly place and cancel orders at the cheapest ticks to force the next taker in
enterOptionorplaceBuyOrderto iterate through a series of empty buckets, burning extra gas. - The attack is bounded by the number of ticks (~99) but still creates a griefing vector.
- An attacker can repeatedly place and cancel orders at the cheapest ticks to force the next taker in
Impact & Attack Scenario
-
Impact: Minor griefing and bounded gas overhead for takers. The issue does not risk funds or liveness but degrades UX and allows an attacker to increase others’ transaction costs at will. Per the bug bounty scope, this fits under “Griefing” and possibly “Block stuffing for profit.”
-
Attack scenario:
- Setup: Order book has sell orders at ticks 0.02, 0.03, etc.
firstSellOrderPrice= 0.02 ether. - Attack: Attacker places a tiny sell order at 0.01 ether;
firstSellOrderPricebecomes 0.01 ether. They then immediately cancel it. - Stale state:
firstSellOrderPriceremains 0.01 ether, but that bucket is empty. - Griefing: The next taker calls
enterOption. The matching loop starts at the stale head (0.01), finds it empty, advances to 0.02, finds the real order, and executes. The taker paid for an extra, useless loop iteration. An attacker can repeat this across multiple ticks to magnify the gas wasted.
- Setup: Order book has sell orders at ticks 0.02, 0.03, etc.
Recommendation
Update the head-of-book pointers immediately on cancel, with safe bounds and a sentinel fallback, and optionally harden the linked-list library.
- Sell side: update
firstSellOrderPricein_cancelSellOrder
- After removing the node and if the cancelled bucket equals the current head and is now empty, scan forward to the next non-empty sell bucket. If none is found up to 0.99 ether, set the head to 0 (no sells).
// After linkedList.remove(nodeIndex);
if (price == firstSellOrderPrice[option] && linkedList.isEmpty()) {
uint256 head = price;
// Advance to the next non-empty bucket; bounded by max sell price
while (head <= 0.99 ether && sellOrders[option][head].isEmpty()) {
head += TICK_SPACING;
}
// Sentinel fallback if no sells remain
firstSellOrderPrice[option] = (head <= 0.99 ether) ? head : 0;
}
- Buy side: update
firstBuyOrderPricein_cancelBuyOrder
- After removing the node and if the cancelled bucket equals the current head and is now empty, scan downward to the next non-empty buy bucket. If none is found down to
TICK_SPACING, set the head to 0 (no buys).
// After linkedList.remove(nodeIndex);
if (price == firstBuyOrderPrice[option] && linkedList.isEmpty()) {
uint256 head = price;
// Move down to the next non-empty bucket; bounded by min buy price
while (head >= TICK_SPACING && buyOrders[option][head].isEmpty()) {
head -= TICK_SPACING;
}
// Sentinel fallback if no buys remain
firstBuyOrderPrice[option] = (head >= TICK_SPACING && !buyOrders[option][head].isEmpty()) ? head : 0;
}
- Optional hardening (safe, no behavior change)
- In
LinkedList.initialize:
require(!list.isInitialized, "Already initialized");
- In
LinkedList.remove:
require(node.nextIndex != 0 && node.prevIndex != 0, "Invalid node");
These changes eliminate the stale-head griefing vector by keeping head pointers current after cancellations and ensure callers cannot corrupt the list with invalid indices.
Validation steps
I create a small PoC to prove the issue
function test_PoC_StaleHeadPointer_OnCancel_SellHeadNotAdvanced() public {
// Use private pool instance; poolOwner holds initial votes on each option
uint256 option = 1;
uint256 tick = rainPool.TICK_SPACING(); // 0.01 ether
uint256 p1 = tick; // cheapest tick
uint256 p2 = tick * 2; // next tick
// Warp to live sale
vm.warp(rainPool.startTime() + 1);
// Place two sell orders at adjacent ticks
vm.startPrank(poolOwner);
uint256 id1 = rainPool.placeSellOrder(option, p1, 1_000); // ensure (votes*price)/1e18 >= 1
uint256 id2 = rainPool.placeSellOrder(option, p2, 1_000);
vm.stopPrank();
// Head should point to the cheapest active price p1
assertEq(rainPool.firstSellOrderPrice(option), p1, "head should point to p1");
// Cancel the only order at p1; bucket becomes empty
uint256[] memory opts = new uint256[](1);
uint256[] memory prices = new uint256[](1);
uint256[] memory ids = new uint256[](1);
opts[0] = option; prices[0] = p1; ids[0] = id1;
vm.startPrank(poolOwner);
rainPool.cancelSellOrders(opts, prices, ids);
vm.stopPrank();
// PoC: head remains stale (still p1) even though p1 bucket is now empty;
// it will be advanced only on the next matching pass.
assertEq(rainPool.firstSellOrderPrice(option), p1, "stale head not updated after cancel");
}
Attachments
hidden 
Comments on this report are hidden 
Details hidden
Participants hidden