OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View all submissions

Previous Next

Submission Details

Severity: low

Valid

Order Expiry Handling

Author Revealed upon completion

Root + Impact

Description

Normal behavior:

Each order has a deadline timestamp, after which it is considered expired. However, only the seller can cancel the order and retrieve their tokens, even after expiry. The contract does not automatically cancel expired orders or allow others to do so.

Issue:

If the seller loses access to their account, forgets, or is otherwise unable to cancel the order, the tokens remain locked in the contract indefinitely. This can lead to permanent loss of user funds and reduce the protocol's usability.

function cancelSellOrder(uint256 _orderId) public {

Order storage order = orders[_orderId];

if (order.seller == address(0)) revert OrderNotFound();

if (order.seller != msg.sender) revert NotOrderSeller(); // @> Only seller can cancel

if (!order.isActive) revert OrderAlreadyInactive();

order.isActive = false;

IERC20(order.tokenToSell).safeTransfer(order.seller, order.amountToSell);

emit OrderCancelled(_orderId, order.seller);

}

Risk

Likelihood:

Sellers may lose access to their account, pass away, or simply forget to cancel expired orders.

Tokens remain locked and unusable, especially as the protocol ages and user activity changes.

Impact:

Permanent loss of user funds, reducing trust in the protocol.

Reduced protocol usability and user satisfaction, as tokens can become "stuck" in the contract.

Proof of Concept

// This PoC demonstrates how tokens can become permanently locked.

// Seller creates an order, then loses access to their wallet (e.g., lost keys).

// The order expires, but only the seller can cancel and retrieve the tokens.

// Tokens remain locked in the contract forever.

Recommended Mitigation

Allow anyone to cancel expired orders and return tokens to the seller, or implement an auto-cancellation mechanism that can be triggered by anyone.

Explanation: By allowing expired orders to be cancelled by anyone, the protocol ensures that tokens are not permanently locked, improving user experience and trust.

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 5 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

Expired orders can cause backlog

By design only `seller` can call `cancelSellOrder()` on their `order`. But when an `order` expires, and the `seller` doesn't have access to the protocol, the expired `order `should be be able to be cancelled by an `admin`.

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

View preliminary results

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.