OrderBook

First Flight #43
Beginner FriendlySolidity
100 EXP
View results
Submission Details
Impact: high
Likelihood: high
Invalid

## [H-1] Owner Can Disable Core Tokens (Owner Privilege + Core Token Trading Disruption)

[H-1] Owner Can Disable Core Tokens (Owner Privilege + Core Token Trading Disruption)

Description:

The OrderBook::setAllowedSellToken function allows the contract owner to set the OrderBook::allowedSellToken mapping status of core tokens (wETH, wBTC, wSOL) to false. This prevents creating or amending sell orders for these tokens, as allowedSellToken[_tokenToSell] is checked in OrderBook::createSellOrder. Although core tokens are initialized as true in the constructor, no restriction prevents the owner from disabling them later.

Impact:

Disabling core tokens (wETH, wBTC, wSOL) halts trading for these assets, breaking the order book's primary functionality. Users cannot create new sell orders or amend existing ones for affected tokens, potentially locking liquidity and eroding trust in the platform.

Proof of Concept:

  1. Deploy the OrderBook contract with valid addresses for wETH, wBTC, wSOL, and USDC.

  2. Owner calls setAllowedSellToken(address(iWETH), false) to disable wETH.

  3. Alice attempts to create a sell order for wETH via createSellOrder(address(iWETH), 1e18, 2500e6, 1 days).

  4. Transaction reverts with InvalidToken() error because allowedSellToken[address(iWETH)] == false.

  5. Existing wETH orders remain unaffected, but no new wETH orders can be created or amended.

Add this to test/TestOrderBook.t.sol

PoC Test Code:
function test_ownerCanDisableCoreToken() public {
// Verify wETH is initially allowed
assertTrue(book.allowedSellToken(address(weth)), "wETH should be allowed initially");
// Owner disables wETH
vm.prank(owner);
book.setAllowedSellToken(address(weth), false);
// Verify wETH is now disabled
assertFalse(book.allowedSellToken(address(weth)), "wETH should be disabled");
// Alice attempts to create a sell order for wETH
vm.startPrank(alice);
weth.approve(address(book), 1e18);
vm.expectRevert(OrderBook.InvalidToken.selector);
book.createSellOrder(address(weth), 1e18, 2500e6, 1 days);
vm.stopPrank();
}

Recommended Mitigation:

Modify the setAllowedSellToken function to prevent disabling core tokens (wETH, wBTC, wSOL) by adding a check to ensure their allowedSellToken status remains true:

Recommended solution:
function setAllowedSellToken(address _token, bool _isAllowed) external onlyOwner {
if (_token == address(0) || _token == address(iUSDC)) revert InvalidToken();
+ if (_token == address(iWETH) || _token == address(iWBTC) || _token == address(iWSOL)) {
+ require(_isAllowed, "Cannot disable core tokens");
+ }
allowedSellToken[_token] = _isAllowed;
emit TokenAllowed(_token, _isAllowed);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

mcqueengodice Submitter
about 1 month ago
yeahchibyke Lead Judge
about 1 month ago
yeahchibyke Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.