OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: medium

Invalid

H-02 Irregular `_deadlineDuration` Setting Will Cause Sell Orders to Expire Immediately, Preventing Buyers from Successfully Completing Transactions!

Author Revealed upon completion

Root + Impact

Description

In the createSellOrder function, there is no handling for the minimum value of _deadlineDuration, which causes the sell order to expire immediately, preventing the buyer from successfully completing the transaction! This breaks the expected functionality of the protocol!!

function createSellOrder(

address _tokenToSell, // Token choice: the seller selects a supported token (wETH, wBTC, or wSOL).

uint256 _amountToSell, // Amount of tokens to sell (must be > 0).

uint256 _priceInUSDC, // Total price (USDC, must be > 0).

uint256 _deadlineDuration // Order validity period (maximum of 3 days).

) public returns (uint256) {

Risk

Likelihood:

Reason 1: Ordinary seller's erroneous operation, setting _deadlineDuration to an extremely small value!

Impact:

Impact 1: Causes the sell order to expire immediately after creation, preventing the buyer from successfully completing the transaction!

Proof of Concept

function test_deadlineDuration() public {

// NOTE: SellOrder

vm.startPrank(alice);

wbtc.approve(address(book), 2e8);

// INFO:

uint256 aliceId = book.createSellOrder(address(wbtc), 2e8, 1e6, 1);

vm.stopPrank();

// NOTE: BuyOrder

vm.startPrank(dan);

usdc.approve(address(book), 200_000e6);

// INFO: Purchase fails

vm.expectRevert();

book.buyOrder(aliceId); // dan buys from alice

vm.stopPrank();

}

Output

│ ├─ emit OrderFilled(orderId: 1, buyer: will_buy_orders: [0x9E0e95D768E723C2c0b2e518C46786e60c9A86fD], seller: will_sell_wbtc_order: [0xaf6db259343D020E372F4ab69cAd536aAf79D0ac])

│ └─ ← [Stop]

└─ ← [Revert] next call did not revert as expected

Recommended Mitigation

Handle the minimum value of _deadlineDuration to ensure that the value of _deadlineDuration is reasonable!

Updates

Lead Judging Commences

yeahchibyke Lead Judge

4 days ago

yeahchibyke Lead Judge about 13 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

View preliminary results

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.