Submission Details
Impact:
Likelihood:
Incomplete Token Restrictions in `OrderBook::emergencyWithdrawERC20`
Description
The `emergencyWithdrawERC20` function restricts withdrawal of core tokens by hardcoding checks for `iWETH, iWBTC, iWSOL, and iUSDC,` but it doesn’t check whether the token is listed in allowedSellToken.
// Root cause in the codebase with @> marks to highlight the relevant section
Impact:
If a new token is added to `allowedSellToken` via `setAllowedSellToken()`, the owner could withdraw user-deposited tokens via the emergency function—even if actively being used in orders.
Proof of Concept
Only checks hardcoded tokens
if (_tokenAddress == address(iWETH) || ...) revert;
allowedSellToken[_tokenAddress] not checked
Recommended Mitigation
Also check allowedSellToken`[_tokenAddress] == true` to block withdrawals of any currently accepted sell token:
function emergencyWithdrawERC20(address _tokenAddress, uint256 _amount, address _to) external onlyOwner {
if (
_tokenAddress == address(iWETH) || _tokenAddress == address(iWBTC) || _tokenAddress == address(iWSOL)
|| _tokenAddress == address(iUSDC)
) {
revert("Cannot withdraw core order book tokens via emergency function");
}
if (_to == address(0)) {
revert InvalidAddress();
}
+ require(!allowedSellToken[_tokenAddress], "Cannot withdraw active sell token");
IERC20 token = IERC20(_tokenAddress);
token.safeTransfer(_to, _amount);
emit EmergencyWithdrawal(_tokenAddress, _amount, _to);
}
Updates
Rewards breakdown
nSLOC
217This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.