In normal behavior, the order book contract relies on core assets such as WETH, WBTC, and WSOL to remain always tradable as sellable tokens. These tokens are whitelisted in the constructor and are expected to be consistently usable throughout the contract's lifetime.
However, the setAllowedSellToken
function allows the owner to disable any token, including the core ones initialized in the constructor. This contradicts the protocol's intended behavior and could lead to blocked trading activity, even though the tokens are otherwise valid and integrated.
Likelihood: Low
This issue can only be triggered by the contract owner.
It requires the owner to deliberately or accidentally disable a core asset using setAllowedSellToken
.
Impact: Medium
Disabling a core token like WETH would prevent users from placing or filling orders using that token.
If ownership is renounced after disabling, the system becomes permanently unable to re-enable that token, breaking a fundamental trading path.
owner Disables weth
using setAllowedSellToken
.
Alice fails to create an order because it's no longer in allowedSellToken
.
Then the owner attempts to withdraw WETH via emergencyWithdrawERC20
, which fails not because of allowedSellToken, but because it's still classified as a protected core token.
Prevents the owner from disabling core order book tokens (WETH, WBTC, WSOL) to ensure essential trading functionality remains intact and protocol behavior stays consistent.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.