From Adam:

I think that at least in case of ZeroExV3Adapter maybe also in other adapters, it's possible to pass cancelOrder an _identifier of already cancelled or expired order instead of the currently expired one, leading to an incorrect amount of money being returned to vault and also possibly current order not being cancelled leading to multiple orders for the same asset and exchange existing at the same time. In my opinion, since only one order per sell asset and exchange can exist at a time, the order to be cancelled should be identified by combination of exchange and sell asset, not by the order identifier which should be fetched from exchangesToOpenMakeOrders[ofExchange][sellAsset].id

leading to an incorrect amount of money being returned to vault

Point of clarification: returnAssetToVault() moves an entire ERC20 balance of the Trading contract to the Vault, so there are no "incorrect amounts" involved. But returning the entire quantity of tokens is just as bad if that asset is in an open, non-custodial order.

The greater point stands, that cancelOrder needs to require that an order has not already been cancelled, however implemented.

Fixed by 518eb0b