OrderBook
First Flight #43
Beginner FriendlySolidity
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: medium
Invalid

Buying your own order (Self-buy)

Author Revealed upon completion

Root + Impact

Description

Normally, the protocol should prevent sellers from buying their own orders to avoid commission abuse, wash trading, or manipulation of protocol statistics.
In the current implementation, there is no check to prevent the seller from purchasing their own order, which can lead to protocol abuse.

function buyOrder(uint256 _orderId) public {
Order storage order = orders[_orderId];
// ... existing checks ...
// @> There is no check that order.seller != msg.sender
order.isActive = false;
// ... rest of the code ...
}

Risk

Likelihood: High.
Any seller can buy their own order at any time.

Impact:

The seller can "wash" the protocol fee, manipulate trading volume, or create fake activity.
This can negatively affect protocol statistics, fee distribution, and trust in the platform.

Proof of Concept

// The seller creates an order, then immediately buys it themselves
orderBook.createSellOrder(token, 100, 1000, 1000);
orderBook.buyOrder(orderId); // msg.sender == seller

Recommended Mitigation

- // No check for self-buy
+ if (order.seller == msg.sender) revert SellerCannotBuyOwnOrder();
Updates

Lead Judging Commences

yeahchibyke Lead Judge
6 days ago
yeahchibyke Lead Judge about 5 hours ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.