OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

There are no human readable token names for non-core tokens in contract

chudesa

Description

Owner can set new allowed token to sell in functinon (

setAllowedSellToken
), but he cannot set token symbol for this token, which should use in function

getOrderDetailsString
As a result, the getOrderDetailsString function will not output the token name if it is not core-token

Risk

The human-readable name of the token will not be displayed when calling a public function getOrderDetailsString.

Proof of Concept

function getOrderDetailsString(uint256 _orderId) public view returns (string memory details) {

Order storage order = orders[_orderId];

if (order.seller == address(0)) revert OrderNotFound(); // Check if order exists

// @audit token tokenSymbol sets only for core-tokens

string memory tokenSymbol;

if (order.tokenToSell == address(iWETH)) {

tokenSymbol = "wETH";

} else if (order.tokenToSell == address(iWBTC)) {

tokenSymbol = "wBTC";

} else if (order.tokenToSell == address(iWSOL)) {

tokenSymbol = "wSOL";

}

...

}

Recommended Mitigation

+ mapping(address => string) private _nonRootTokenNames;

+ function setAllowedSellToken(address _token, bool _isAllowed, string _tokenSymbol) external onlyOwner {

- function setAllowedSellToken(address _token, bool _isAllowed) external onlyOwner {

if (_token == address(0) || _token == address(iUSDC)) revert InvalidToken(); // Cannot allow null or USDC itself

allowedSellToken[_token] = _isAllowed;

+ _nonRootTokenNames[_token] = _tokenSymbol;

emit TokenAllowed(_token, _isAllowed);

}

function getOrderDetailsString(uint256 _orderId) public view returns (string memory details) {

Order storage order = orders[_orderId];

if (order.seller == address(0)) revert OrderNotFound(); // Check if order exists

// @audit token tokenSymbol sets only for core-tokens

string memory tokenSymbol;

if (order.tokenToSell == address(iWETH)) {

tokenSymbol = "wETH";

} else if (order.tokenToSell == address(iWBTC)) {

tokenSymbol = "wBTC";

} else if (order.tokenToSell == address(iWSOL)) {

tokenSymbol = "wSOL";

}

+ else if (_nonRootTokenNames[order.tokenToSell] != adress(0)) {tokenSymbol = _nonRootTokenNames[order.tokenToSell]}+

...

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.