ChainSecurity performed a smart contract audit of Rarible Exchange v2.
Exchange V2 implements two main functionalities: order matching (matchOrder) and order cancellation (cancelOrder).
When a pair of valid orders is matched, at least one of the orders gets fully filled. Then, the fees and royalties are paid to the corresponding parties. The filling of the order is measured by the received take asset of the order. Due to flooring of the estimation of the remaining make amount from remaining take amount, some leftover make assets can be unsellable. Depending on the arrangement of arguments, the two orders of the pair are named Left and Right. An order is valid if its signature is valid or the invoker of the matchOrder is also the maker of the order.
A pair of orders is matchable if:
- For both orders, the receiver (taker) of the order, if defined, is the same as the offerer (maker) of the other one. If no taker is defined any offerer can match.
- The asset types used in the orders match, meaning the make asset type of one order should match the take asset type of other order.
- The make/take ratios of orders allow them to be filled. In other words, the seller and buyer can agree on the price. In case of matchable but different prices the left order dictates the price of the exchange. Because of the uint arithmetics, prices are estimated by uint and checks prevent price slippage with 0.1% accuracy.
The orders can be separated into two categories:
- Salted orders: In these orders a salt (a random number) is defined. The status of these orders is stored on the blockchain. An order can be partially filled. These orders can be canceled.
- Ad-hoc orders: they have salt set to 0 and need to be sent to contract directly by the maker. Filling degree tracking is off for such orders, while only the maker can resubmit the order.
A normal order is canceled by setting its filling degree to the maximum possible value. Cancellation of the order is possible only by the maker of the order.