OrderBook
First Flight #43
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Missing Event Data in Amendment Function

shieldrey

Root + Impact

Description

The amendSellOrder() function allows sellers to modify their existing orders by changing the amount, price, or deadline. However, the OrderAmended event only emits the new values without including the previous values that were changed.

This creates an incomplete audit trail where external systems, dApps, and users cannot easily track what specific changes were made to an order. Without the previous values, it's impossible to determine the magnitude of changes or reconstruct the order's history from events alone.

// Root cause in the codebase with @> marks to highlight the relevant section
solidityfunction amendSellOrder(
uint256 _orderId,
uint256 _newAmountToSell,
uint256 _newPriceInUSDC,
uint256 _newDeadlineDuration
) public {
Order storage order = orders[_orderId];
// ... validation checks ...
uint256 newDeadlineTimestamp = block.timestamp + _newDeadlineDuration;
// ... token transfer logic ...
// Update order details
order.amountToSell = _newAmountToSell;
order.priceInUSDC = _newPriceInUSDC;
order.deadlineTimestamp = newDeadlineTimestamp;
// @> Event only contains new values, missing previous values
emit OrderAmended(_orderId, _newAmountToSell, _newPriceInUSDC, newDeadlineTimestamp);
}
// @> Event definition lacks previous values
event OrderAmended(
uint256 indexed orderId,
uint256 newAmountToSell,
uint256 newPriceInUSDC,
uint256 newDeadlineTimestamp
);

Risk

Likelihood:

  • Occurs every time an order is amended, which is a core functionality

  • All amendment operations suffer from this incomplete logging

  • High likelihood as it affects user experience and system monitoring

Impact:

  • Incomplete audit trail makes it difficult to track order history

  • External systems cannot easily determine what changed without additional state queries

  • Poor user experience for applications trying to show order modification history

  • Compliance and monitoring systems cannot properly track changes

Proof of Concept

// Seller amends a sell order with ID 5
book.amendSellOrder(5, 2e18, 3000e6, 1 days);
// Event emitted:
OrderAmended(5, 2e18, 3000e6, 1725480012); // No old data: cannot tell what changed

Recommended Mitigation

event OrderAmended(
uint256 indexed orderId,
+ uint256 previousAmountToSell,
+ uint256 previousPriceInUSDC,
+ uint256 previousDeadlineTimestamp,
uint256 newAmountToSell,
uint256 newPriceInUSDC,
uint256 newDeadlineTimestamp
);
function amendSellOrder(
uint256 _orderId,
uint256 _newAmountToSell,
uint256 _newPriceInUSDC,
uint256 _newDeadlineDuration
) public {
Order storage order = orders[_orderId];
// ... validation checks ...
uint256 newDeadlineTimestamp = block.timestamp + _newDeadlineDuration;
+
+ // Store previous values before modification
+ uint256 previousAmountToSell = order.amountToSell;
+ uint256 previousPriceInUSDC = order.priceInUSDC;
+ uint256 previousDeadlineTimestamp = order.deadlineTimestamp;
// ... token transfer logic ...
// Update order details
order.amountToSell = _newAmountToSell;
order.priceInUSDC = _newPriceInUSDC;
order.deadlineTimestamp = newDeadlineTimestamp;
- emit OrderAmended(_orderId, _newAmountToSell, _newPriceInUSDC, newDeadlineTimestamp);
+ emit OrderAmended(_orderId, previousAmountToSell, previousPriceInUSDC, previousDeadlineTimestamp, _newAmountToSell, _newPriceInUSDC, newDeadlineTimestamp);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 15 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Poor event indexing and asset token symbol not displayed

Events not properly indexed. Filtering and querying from analytic tools will be very in-efficient

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.