OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

getOrderDetailsString doesn't handle symbols for new tokens

ehl

Root + Impact

Description

The getOrderDetailsString function is designed to return a formatted string with order details including readable token symbols to provide a good user experience when displaying order information.
The function only handles symbol resolution for a hardcoded set of tokens (wETH, wBTC, wSOL), leaving the tokenSymbol variable empty for any newly added tokens, resulting in incomplete order details display.

string memory tokenSymbol;

@> if (order.tokenToSell == address(iWETH)) {

@> tokenSymbol = "wETH";

@> } else if (order.tokenToSell == address(iWBTC)) {

@> tokenSymbol = "wBTC";

@> } else if (order.tokenToSell == address(iWSOL)) {

@> tokenSymbol = "wSOL";

@> }

// tokenSymbol remains empty for any other tokens

Risk

Likelihood:

This issue will occur whenever new tokens are added to the order book system via setAllowedSellToken and users query order details for these tokens
The problem manifests immediately upon adding new tokens without any additional configuration requirements

Impact:

Poor user experience due to missing or incomplete token information in order details
Potential confusion for users trying to understand order information through the interface
Reduced usability of the order book system for newly supported tokens
Inconsistent display formatting between core tokens and newly added tokens

Proof of Concept

This test demonstrates how newly added tokens display without proper symbol information:

function test_getOrderDetailsString_dontHandleNewTokenSymbols() external {

vm.prank(owner);

book.setAllowedSellToken(address(wmatic), true);

vm.startPrank(seller_wmatic);

wmatic.approve(address(book), 1e18);

book.createSellOrder(address(wmatic), 1e18, 20_000e6, 2 days);

vm.stopPrank();

string memory orderDetailsString = book.getOrderDetailsString(1);

console2.log(orderDetailsString);

// Order ID: 1

// Seller: 0x21e0d0c3960819beb509d57f3014b464fbbb66af

// Selling: 1000000000000000000 // Missing token symbol

// Asking Price: 20000000000 USDC

// Deadline Timestamp: 172801

// Status: Active

}

Recommended Mitigation

Implement dynamic symbol resolution using the ERC20 metadata interface with proper error handling for tokens that don't implement the symbol function:

- string memory tokenSymbol;

- if (order.tokenToSell == address(iWETH)) {

- tokenSymbol = "wETH";

- } else if (order.tokenToSell == address(iWBTC)) {

- tokenSymbol = "wBTC";

- } else if (order.tokenToSell == address(iWSOL)) {

- tokenSymbol = "wSOL";

- }

+ string memory tokenSymbol;

+ try IERC20Metadata(order.tokenToSell).symbol() returns (string memory symbol) {

+ tokenSymbol = symbol;

+ } catch {

+ tokenSymbol = "UNKNOWN";

+ }

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.