Root + Impact

DESCRIPTION

The OrderBook contract performs external ERC20 token transfers before updating internal state like order.isActive. This opens the door for reentrancy, where a malicious token contract could execute fallback logic and reenter sensitive functions leading to state manipulation, double withdrawals, or logic corruption.

Root Cause

• In multiple functions, token transfers (via SafeERC20.safeTransfer or safeTransferFrom) are executed before the internal state is updated (e.g., isActive flags, fee accounting, order invalidation).

• For example, in buyOrder(), tokens are transferred to msg.sender before finalizing state, allowing reentrancy vectors.

Impact

• Reentrancy attacks could manipulate state mid-execution.

• A malicious token (e.g., with fallback() calling cancelSellOrder) could interrupt and interfere with state updates.

• If order is set inactive after token transfer, recursive token callbacks may exploit assumptions or cause double-send bugs.

Risk

Risk Likelihood

This vulnerability can occur during any token transfer where:

• The contract interacts with external ERC20 contracts

• The ERC20 includes malicious fallback, approve() hooks, or is malformed

Impact

• Trade failures, potential double refunds, fee bypass

• If attacker can execute functions like cancelSellOrder or recursively trigger buyOrder, impact multiplies

Proof of Concept

DESCRIPTION

The attacker whitelists MaliciousToken, creates an order, and waits for a buyer to call buyOrder().
During safeTransfer of tokens to buyer, the malicious token reenters the contract and calls cancelSellOrder()
or another mutating function. This executes before isActive is updated, leading to unpredictable state.

Recommended Mitigation

DESCRIPTION

This ensures that even if a token tries to reenter mid-transfer,
the contract state is already locked or updated, preventing recursive execution.
This approach aligns with DeFi best practices and mitigates both economic and logical reentrancy.