OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View all submissions

Previous Next

Submission Details

Severity: low

Valid

Orders get stuck after the deadline

Author Revealed upon completion

Root + Impact

Description

Orders get stuck after the deadline
In the current implementation, only the seller can cancel an order, even after its deadline has expired. If the seller becomes inactive or loses access to their wallet, the order remains permanently locked in the contract and the tokens are inaccessible.

function cancelSellOrder(uint256 _orderId) public {

Order storage order = orders[_orderId];

// @> if (order.seller != msg.sender) revert NotOrderSeller();

// Only the seller can cancel the order, even after the deadline has passed

}

Risk

Likelihood:

Reason 1 If the seller loses access to their wallet or becomes inactive, no one can cancel the expired order.
Reason 2 Orders with expired deadlines may accumulate in the contract, increasing the amount of "dead" or locked funds.

Impact:

Impact 1 User funds may be permanently locked in the contract.
Impact 2 Trust in the protocol decreases and user experience suffers.
Impact 3 "Garbage" accumulates in the contract, making state analysis more difficult

Proof of Concept

A user creates an order with a short deadline, then loses access to their wallet. No one can cancel the order, and the tokens remain locked in the contract forever.

Recommended Mitigation

- if (order.seller != msg.sender) revert NotOrderSeller();

+ if (order.seller != msg.sender && block.timestamp < order.deadlineTimestamp) revert NotOrderSeller();

or create function:

+ function cancelExpiredOrder(uint256 _orderId) external {

Order storage order = orders[_orderId];

if (block.timestamp < order.deadlineTimestamp) revert("OrderNotExpired");

if (!order.isActive) revert OrderAlreadyInactive();

order.isActive = false;

IERC20(order.tokenToSell).safeTransfer(order.seller, order.amountToSell);

emit OrderCancelled(_orderId, order.seller);

+ }

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 5 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

Expired orders can cause backlog

By design only `seller` can call `cancelSellOrder()` on their `order`. But when an `order` expires, and the `seller` doesn't have access to the protocol, the expired `order `should be be able to be cancelled by an `admin`.

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

View preliminary results

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.