This issue allows the owner to withdraw core tokens that are added to the contract after the initialization of itself. This should not be possible refering to the documentation.
The function emergencyWithdrawERC20 should enable the possibility to withdraw all non-core tokens, so all tokens that are not used to create orders in the orderbook
The verification of core tokens is hardcoded inside the function only for tokens that are allowed at the initialization state of the contract : WSOL, WBTC, WETH, USDC
A token that is added through the setAllowedSellToken is not verified and can be withdrawn with the emergency function
Likelihood:
if a token is added to the core tokens
Impact:
the owner can withdraw added core token
We can verify the allowedSellToken mapping variable instead.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.