OrderBook
First Flight #43
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: high
Invalid

Lack of Access Control on Withdrawal of Tokens which were added and allowed to be sold after the Smart Contract was Deployed

lexanhacker

The Owner of the smart contract can set which tokens to be sold be sellers in the order book in the smart contract ( In the Constructor of the smart contract and the function setAllowedSellToken ) , but he cant withdraw the tokens which are listed by sellers to be sold as in the function emergencyWithdrawERC20 , as shown in the following two block of code ...

function setAllowedSellToken(address _token, bool _isAllowed) external onlyOwner {
if (_token == address(0) || _token == address(iUSDC)) revert InvalidToken(); // Cannot allow null or USDC itself
allowedSellToken[_token] = _isAllowed;
emit TokenAllowed(_token, _isAllowed);
}
function emergencyWithdrawERC20(address _tokenAddress, uint256 _amount, address _to) external onlyOwner {
if (
_tokenAddress == address(iWETH) || _tokenAddress == address(iWBTC) || _tokenAddress == address(iWSOL)
|| _tokenAddress == address(iUSDC)
) {
revert("Cannot withdraw core order book tokens via emergency function");
}
if (_to == address(0)) {
revert InvalidAddress();
}
IERC20 token = IERC20(_tokenAddress);
token.safeTransfer(_to, _amount);
emit EmergencyWithdrawal(_tokenAddress, _amount, _to);
}

But the problem is that the emergency withdraw function restricts the tokens that can not be withdrawn to only those defined in the constructor of the smart contract , that means that the owner of the smart contract can call the setAllowedSellToken function , add a token that can be listed and sold by sellers and then later call the emergency withdrawal function which will only restrict the initial tokens to not be withdrawn but since the new token has no any protection against it from being withdrawn , then it can be withdrawn by the owner of the smart contract , and if there are sellers with orders who have locked their tokens in the smart contract , then they will lose their tokens

Likelihood:

The Likelihood of this occuring is very high if the owner of the smart contract is a fraudster and can pull the rug anytime thereby withdrawing some tokens which he allowed can be sold on the order book but he can just withdraw them as they dont have any protection against withdrawal

Impact:

When the owner of the smart contract addes a token that can be listed and sold at the order book by sellers and sellers transfer their tokens to the smart contract which are locked untill sold , or order cancellation or order expiration , and later the owner of the smart contract uses the emergency withdraw function to withdraw the tokens then it leads to loss of funds of the sellers with the token

Proof of Concept

  1. The Owner of the smart contract calls the function setAllowedSellToken and enables a certain token to be listed and sold by sellers on the order book

  2. Then when the token reaches a high amount due to sellers deposits and it being locked until bought or expiring , the owner of the contract calls the emergency Withdrawal function

  3. Since the New token isnt protected in the function it can be withdrawn by the owner of the contract leading to loss of funds by the sellers who locked their tokens awaiting to be sold

Recommended Mitigation

It is recommended that even when the owner of the smart contract adds a token that can be listed and sold on the order book and the smart contract , the token should also be given limitations that it cant be withdrawn by anyone even the owner of the smart contract so as to ensure the sellers of the smart contract do not lose their funds

Updates

Lead Judging Commences

yeahchibyke Lead Judge 12 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.