Unprotected Native Token Receive Path, causing trapped and unusable
Unprotected Native Token Receive Path
Description
The OrderBook contract is not designed to handle native tokens (e.g. ETH, MATIC, BNB) and exclusively interacts with ERC20 tokens such as wETH, wBTC, and wSOL. However,
the contract lacks a receive() or fallback() function to explicitly reject unintended native token transfers.
This allows the contract to silently accept native tokens via:
-
selfdestruct(payable(orderBook)) from another contract
-
Accidental direct transfers from users
-
Potential griefing transactions from bots or malicious actors
While these native tokens will be trapped and unusable, this may lead to future operational issues, trust concerns, or even misunderstandings regarding fund ownership.
Risk
Likelihood:
Can occur at any time via public tools (Etherscan, direct call, or selfdestruct)
Impact:
-
Native tokens become permanently locked in the contract
-
Reputational risk if future upgrades or manual withdrawals are used to retrieve the trapped tokens
-
Attackers can manipulate address(this).balance if it's ever used for logic in future versions
Proof of Concept
No error will occur, but the ETH is silently trapped in the contract.
Recommended Mitigation
Alternatively, consider implementing proper handling for native tokens if such functionality is expected in the future (e.g. automatic wrapping to wETH).
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.