OrderBook
First Flight #43
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

Unchecked integrity of core token during initialization

fffuuuming

Root + Impact

Description

  • The constructor of the OrderBook contract does not validate the integrity of core token assignments, allowing logically incorrect token roles to go unnoticed.”

  • The deployer may accidentally or intentionally swaps the order of constructor arguments, (e.g., passing WSOL where WETH should be and vice versa, the contract will store incorrect references for core tokens)

Risk

Likelihood: Medium

  • Human error in deployment is common, especially when constructor arguments are similar in type and not validated.

Impact: Medium

  • Misclassification of core tokens may break the logic and assumption of the contract, affect UX

  • Users may be misled into buying or selling the wrong asset.

Proof of Concept

  1. Add a new orderbook into contract TestOrderBook

  2. Add the following test, then run forge test -vv --match-test test_misconfiguredOrderBook_swappedWETHandWSOL

    function test_misconfiguredOrderBook_swappedWETHandWSOL() public {
    misconfiguredBook = new OrderBook(address(wsol), address(wbtc), address(weth), address(usdc), owner);
    // bob creates sell order for weth
    console2.log("Bob intends to create a sell order for WETH");
    vm.startPrank(bob);
    weth.approve(address(misconfiguredBook), 2e18);
    uint256 bobId = misconfiguredBook.createSellOrder(address(weth), 2e18, 5_000e6, 2 days);
    vm.stopPrank();
    assert(bobId == 1);
    assert(weth.balanceOf(bob) == 0);
    assert(weth.balanceOf(address(misconfiguredBook)) == 2e18);
    string memory bobOrderDetails = misconfiguredBook.getOrderDetailsString(bobId);
    console2.log("Bob creates an order:\n", bobOrderDetails);
    }

PoC Results:

forge test -vv --match-test test_misconfiguredOrderBook_swappedWETHandWSOL
[⠊] Compiling...
[⠊] Compiling 1 files with Solc 0.8.26
[⠒] Solc 0.8.26 finished in 980.42ms
Compiler run successful!
Ran 1 test for test/TestOrderBook.t.sol:TestOrderBook
[PASS] test_misconfiguredOrderBook_swappedWETHandWSOL() (gas: 3022756)
Logs:
Bob intends to to create a sell order for WETH
Bob creates an order:
Order ID: 1
Seller: 0x5836fb2f9de86916f726f675aa83ced224c0e7b3
Selling: 2000000000000000000 wSOL
Asking Price: 5000000000 USDC
Deadline Timestamp: 172801
Status: Active
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 9.87ms (2.17ms CPU time)
Ran 1 test suite in 331.65ms (9.87ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Recommended Mitigation

Inside OrderBook.sol:

  1. import IERC20Metadata

    import {IERC20Metadata} from "@openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol"; // For token metadata

  2. Add the name check for each core token into constructor

    constructor(address _weth, address _wbtc, address _wsol, address _usdc, address _owner) Ownable(_owner) {
    if (_weth == address(0) || _wbtc == address(0) || _wsol == address(0) || _usdc == address(0)) {
    revert InvalidToken();
    }
    if (_owner == address(0)) {
    revert InvalidAddress();
    }
    + if (!Strings.equal(IERC20Metadata(_weth).name(), "MockWETH")
    + || !Strings.equal(IERC20Metadata(_wbtc).name(), "MockWBTC")
    + || !Strings.equal(IERC20Metadata(_wsol).name(), "MockWSOL")
    + || !Strings.equal(IERC20Metadata(_usdc).name(), "MockUSDC")) {
    + revert InvalidToken(); // Ensure correct token names
    + }
    iWETH = IERC20(_weth);
    allowedSellToken[_weth] = true;
    iWBTC = IERC20(_wbtc);
    allowedSellToken[_wbtc] = true;
    iWSOL = IERC20(_wsol);
    allowedSellToken[_wsol] = true;
    iUSDC = IERC20(_usdc);
    _nextOrderId = 1; // Start order IDs from 1
    }
Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.